Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the
client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the
ldap users?
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in
line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry
"uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch(a)cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display the
LDAP users and is driving me insane - ldapsearch seems to work I am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed
certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk,
DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password
ldap_default_authtok = p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus,
radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300
entry_cache_nowait_percentage = 75 debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working -
then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts
#TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the
Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b
dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # #
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree #
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount
objectclass to user objects and the posixGroup objects to group objects. These
objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may
contain information that is privileged and confidential. If the reader of the message is
not the intended recipient or an authorized representative of the intended recipient, you
are hereby notified that any dissemination of this communication is strictly prohibited.
If you have received this communication in error, notify the sender immediately by return
email and delete the message and any attachments from your system.