On Sun, Mar 13, 2016 at 04:03:50PM -0400, Cyril Scetbon wrote:
I've never said that mixing both was the best option. It's just easier for me cause pam_ldap is already used and if I can avoid to change the current configuration I'll be glad.
If you're already running SSSD in your environment, then I don't see a reason to not go all in..I mean, the deamon would already be up and you'd actually centralize the configuration in one config file (sssd.conf) instead of a combination of sssd.conf + pam_ldap.conf.
I don't see any message in the log.
Not even in the secure log? If that's the case then pam_sss is not being contacted at all (if pam_sss is set up and not pam_ldap).
If you configured pam_sss in the pam stack but you're not seeing any messages by pam_sss in the secure log or journal then chances are then the pam_sss module is not being contacted at all (and another module might abort the PAM conversation sooner..)
In my case, I don't need to access other information but the login (uses by a database that can use pam for authentication and all permissions are set at the database level). What is the option to not contact the server even for the group information if there is one ?
I'm sorry, but I don't understand what do you mean by "even for the group