Hi all,
I've been struggling to setup a centralized authentication system for quite some time. It is composed by: - openldap 2.4.43, with TLS self-signed certs (root chain is ok): ldaps://serv; - pam 1.2.1; pambase 20150213; - sssd 1.13.1; - openssh 7.1.
Currently I'm trying to authenticate a LDAP user in the server that hosts openldap. ldapsearch -x shows me stuff correctly, with TLS working. If I try to connect through the command-line, the logs show sssd getting stuff from openldap with success. But, login fails: <log> login[xxxx]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_a login[xxxx]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure </log>
Also, id user_a fails, getent passwd user_a fails. Have no idea what may be wrong (if sssd, ldap DB, whatever).
sssd.conf [sssd] config_file_version = 2 services = pam domains = LDAP debug_level = 4
[nss]
[pam] debug_level = 5
[domain/LDAP] debug_level = 4 id_provider = ldap auth_provider = ldap access_provider = ldap cache_credentials = false
ldap_uri = ldaps://server ldap_schema = rfc2307 ldap_search_base = dc=casa,dc=lan
ldap_id_use_start_tls = true ldap_tls_cacert = /etc/openldap/ssl/cacert.pem ldap_tls_cacertdir = /etc/openldap/ssl ldap_tls_reqcert = demand tls_reqcert = demand
ldap_user_search_base = ou=People,dc=casa,dc=lan ldap_user_home_directory = homeDirectory ldap_user_shell = loginShell ldap_group_search_base = ou=Group,dc=casa,dc=lan ldap_access_filter = memberOf=ou=People,dc=casa,dc=lan
# Leave this as password ldap_default_authtok_type = password
system-auth auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass #auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid < 500 quiet #account [default=bad success=ok user_unknown=ignore] pam_sss.so #account [default=bad success=ok] pam_sss.so account sufficient pam_sss.so account required pam_permit.so
nsswitch.conf passwd: compat sss shadow: compat sss group: compat sss
hosts: files dns networks: files dns
services: db files protocols: db files rpc: db files ethers: db files netmasks: files netgroup: files bootparams: files
automount: files aliases: files
Thanks in advance!
On (30/01/16 16:01), Marcelo Coelho wrote:
Hi all,
I've been struggling to setup a centralized authentication system for quite some time. It is composed by:
- openldap 2.4.43, with TLS self-signed certs (root chain is ok):
ldaps://serv;
- pam 1.2.1; pambase 20150213;
- sssd 1.13.1;
- openssh 7.1.
Currently I'm trying to authenticate a LDAP user in the server that hosts openldap. ldapsearch -x shows me stuff correctly, with TLS working. If I try to connect through the command-line, the logs show sssd getting stuff from openldap with success. But, login fails:
<log> login[xxxx]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_a login[xxxx]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure </log>
Also, id user_a fails, getent passwd user_a fails. Have no idea what may be wrong (if sssd, ldap DB, whatever).
Are you sure that getent passwd user_a failed? Because there is "pam_sss(login:auth): authentication success" and it could not pass without this.
If it really does not work the I will recommend to follow https://fedorahosted.org/sssd/wiki/Troubleshooting
LS
2016-01-30 18:11 GMT+00:00 Lukas Slebodnik lslebodn@redhat.com:
On (30/01/16 16:01), Marcelo Coelho wrote:
Hi all,
I've been struggling to setup a centralized authentication system for
quite
some time. It is composed by:
- openldap 2.4.43, with TLS self-signed certs (root chain is ok):
ldaps://serv;
- pam 1.2.1; pambase 20150213;
- sssd 1.13.1;
- openssh 7.1.
Currently I'm trying to authenticate a LDAP user in the server that hosts openldap. ldapsearch -x shows me stuff correctly, with TLS working. If I try to connect through the command-line, the logs show sssd getting stuff from openldap with success. But, login fails:
<log> login[xxxx]: pam_sss(login:auth): authentication success; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=user_a login[xxxx]: FAILED LOGIN (1) on '/dev/tty1' FOR 'UNKNOWN', Authentication failure </log>
Also, id user_a fails, getent passwd user_a fails. Have no idea what may
be
wrong (if sssd, ldap DB, whatever).
Are you sure that getent passwd user_a failed? Because there is "pam_sss(login:auth): authentication success" and it could not pass without this.
If it really does not work the I will recommend to follow https://fedorahosted.org/sssd/wiki/Troubleshooting
Hi all,
Found the culprit: in sssd.conf, the services was set as "services = pam" while it should be "services = nss,pam" Basically, sssd was capable of finding all the LDAP user info, but pam didn't receive it because nss in sssd wasn't enabled.
Now, next step: check if it's possible to bind with uid that is requesting the access!
Thanks
sssd-users@lists.fedorahosted.org