Hi all.
Just installed Fedora and I am trying to setup authentication with our LDAP server. I followed the convenient authentication installation instructions (I am using TLS / no SASL). Unfortunately authentication was not working, so I decided to see if get first get nsswitch going and found about your sssd daemon. Any way here are the pertinent lines from from nsswitch.conf
passwd: files sss shadow: files sss group: files sss
The command getent passwd cochran did not work until I tweaked the sssd.conf file (sort of guessing here); Here are the tweeks
domains = LDAP #domains = LOCAL,LDAP
[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldap://encs-nexus.vancouver.wsu.edu ldap_user_search_base = dc=encs,dc=vancouver,dc=wsu,dc=edu ldap_tls_reqcert = demand cache_credentials = true enumerate = true
Now the following works (it gets the correct info from LDAP):
getent passwd cochran cochran:*:10001:10099::/home/cochran:/bin/bash
but alas the command getent group faculty does *not* work
Running sssd in debug mode usr/sbin/sssd -i -d 5 reveals the following
(Thu Aug 5 09:41:49 2010) [sssd[nss]] [accept_fd_handler] (4): Client connected! (Thu Aug 5 09:41:49 2010) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Thu Aug 5 09:41:49 2010) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Thu Aug 5 09:41:49 2010) [sssd[nss]] [nss_cmd_getgrnam] (4): Requesting info for [faculty] from [<ALL>] (Thu Aug 5 09:41:49 2010) [sssd[nss]] [nss_cmd_getgrnam] (4): Requesting info for [faculty@LDAP] (Thu Aug 5 09:41:49 2010) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [LDAP][4098][1][name=faculty] (Thu Aug 5 09:41:49 2010) [sssd[be[LDAP]]] [be_get_account_info] (4): Got request for [4098][1][name=faculty] (Thu Aug 5 09:41:49 2010) [sssd[be[LDAP]]] [groups_get_delete] (2): Group (faculty) delete returned 2 (No such file or directory) (Thu Aug 5 09:41:49 2010) [sssd[be[LDAP]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success (Thu Aug 5 09:41:49 2010) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (Thu Aug 5 09:41:49 2010) [sssd[nss]] [nss_cmd_getgrnam_callback] (2): No matching domain found for [faculty], fail! (Thu Aug 5 09:41:49 2010) [sssd[nss]] [nss_cmd_getgrnam_callback] (2): No results for getgrnam call (Thu Aug 5 09:41:49 2010) [sssd[nss]] [client_recv] (5): Client disconnected!
I have not clue what to change now. Any help would be greatly appreciated. I am not a hard core sysadmin (budget cuts have me setting this up myself).
--w
Wayne O. Cochran Assistant Professor Computer Science wcochran@vancouver.wsu.edu
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/06/2010 12:47 PM, Cochran, Wayne Owen wrote:
Hi all.
Just installed Fedora and I am trying to setup authentication with our LDAP server. I followed the convenient authentication installation instructions (I am using TLS / no SASL). Unfortunately authentication was not working, so I decided to see if get first get nsswitch going and found about your sssd daemon. Any way here are the pertinent lines from from nsswitch.conf
Wayne, my first recommendation would be for you to use authconfig to set up SSSD. If you start authconfig-gtk on Fedora 13 and set it to use LDAP for the User Account Database and also for the Authentication method, this should get you most of the way.
If that doesn't work, please add debug_level=9 to your /etc/sssd/sssd.conf file in the [domain/LDAP] section, run your test, and then attach /var/log/sssd/sssd_LDAP.log to your reply so we can take a look.
Also, looking at your config, I think you want to change ldap_user_search_base to ldap_search_base. Since you don't have the option ldap_group_search_base anywhere, I presume you meant for them to be the same.
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/
sssd-devel@lists.fedorahosted.org
-
Cochran, Wayne Owen -
Stephen Gallagher