2016-01-30 18:11 GMT+00:00 Lukas Slebodnik <lslebodn@redhat.com>:

On (30/01/16 16:01), Marcelo Coelho wrote:
>Hi all,
>
>I've been struggling to setup a centralized authentication system for quite
>some time. It is composed by:
> - openldap 2.4.43, with TLS self-signed certs (root chain is ok):
>ldaps://serv;
> - pam 1.2.1; pambase 20150213;
> - sssd 1.13.1;
> - openssh 7.1.
>
>Currently I'm trying to authenticate a LDAP user in the server that hosts
>openldap.
>ldapsearch -x shows me stuff correctly, with TLS working. If I try to
>connect through the command-line, the logs show sssd getting stuff from
>openldap with success. But, login fails:
><log>
>login[xxxx]: pam_sss(login:auth): authentication success; logname=LOGIN
>uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_a
>login[xxxx]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication
>failure
></log>
>
>Also, id user_a fails, getent passwd user_a fails. Have no idea what may be
>wrong (if sssd, ldap DB, whatever).
Are you sure that getent passwd user_a failed?
Because there is "pam_sss(login:auth): authentication success"
and it could not pass without this.

If it really does not work the I will recommend to follow
https://fedorahosted.org/sssd/wiki/Troubleshooting

Hi all,

Found the culprit: in sssd.conf, the services was set as "services = pam" while it should be "services = nss,pam"

Basically, sssd was capable of finding all the LDAP user info, but pam didn't receive it because nss in sssd wasn't enabled.

Now, next step: check if it's possible to bind with uid that is requesting the access!

Thanks