Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users
only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the
client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the
ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still
does not work please attach the nss and domain logs (see
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added
in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry
"uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch(a)cdk.com wrote:
>
> Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
> # getent passwd only displays the local users - will not display the
> LDAP users and is driving me insane - ldapsearch seems to work I am
> using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed
certificates.
> I used # cacertdir_rehash to create to create the sym-link to the
> CA.crt on both Client and Server My LDAP Server hostname is
'ActDir-VM-Test'
> My SSSD Client hostname is 'SSSD-VM-Test'
>
> Here are my files:
>
> Server - /etc/openldap/slapd.conf:
>
> allow bind_v2
> allow bind_anon_dn
> pidfile /var/run/openldap/slapd.pid
> argsfile /var/run/openldap/slapd.args
> TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> /etc/openldap/cacerts/CA.crt TLSCertificateFile
> /etc/openldap/cacerts/server.crt TLSCertificateKeyFile
> /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
> TLSVerifyClient never access to
> dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> by anonymous read
> by * read
> access to dn.base=""
> by anonymous none
> by * read
> database config
> access to *
> by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
> by * none
> database monitor
> access to *
> by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
> by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read
> by * none
> access to * by users read
>
> database bdb
> suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> checkpoint 1024 15
> rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> rootpw p@ssw0rd
> loglevel 256
> sizelimit unlimited
> #
>
> Server - ldap.conf:
>
> TIMELIMIT 120
> ssl start_tls
>
> URI ldap://ActDir-VM-Test:389/
> BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> TLS_REQCERT allow
>
> TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> /etc/openldap/cacerts/CA.crt #
>
> Server - /etc/sysconfig/ldap:
>
> SLAPD_LDAP=yes
>
> # Run slapd with -h "... ldapi:/// ..."
> # yes/no, default: yes
> SLAPD_LDAPI=no
>
> # Run slapd with -h "... ldaps:/// ..."
> # yes/no, default: no
> SLAPD_LDAPS=no
> #
>
> Server - /etc/pam.d/password-auth-ac
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> session required pam_unix.so
> session optional pam_sss.so
> #
>
> Server: - /etc/pam.d/system-auth-ac
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_sss.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_sss.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient pam_sss.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> session required pam_unix.so
> session optional pam_sss.so
> #
>
> Server - /etc/nsswitch.conf
>
> passwd: files sss
> shadow: files sss
> group: files sss
> #
>
>
>
> Client - /etc/sssd/sssd.conf:
>
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = vmlab
>
> authconfig --enablesssd --enablesssdauth --enablelocauthorize
> --enableldap --enableldaptls --enableldapauth
> --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
> --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
> --update
>
> [domain/vmlab]
>
> id_provider = ldap
> auth_provider = ldap
>
> # Timming
> entry_cache_timeout = 600
> ldap_network_timeout = 3
>
> ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> ldap_user_search_base =
> dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> ldap_tls_reqcert = demand
> cache_credentials = True
>
> ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
> memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cd
> k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
> ldap_tls_reqcert = demand ldap_default_bind_dn =
> cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd
> enumerate = true
>
>
> [nss]
> filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
> news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
> dbus, radiusd, news, nscd reconnection_retries = 3
> entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
> debug_level = 6
>
> [pam]
> reconnection_retries = 3
> #
> The enumerate = True will only be enabled during testing - if I ever get it working
- then it will be removed.
>
>
> Client - /etc/openldap/ldap.conf:
>
> idle_timelimit 3600
> TIMELIMIT 120
> bind_timelimit 120
>
> SASL_NOCANON on
> TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> /etc/openldap/cacerts/CA.crt
>
> #TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
> /etc/openldap/cacerts/CA.crt #TLS_CACERT
> /etc/openldap/cacerts/19913717.0
>
> ssl start_tls
> TLS_REQCERT allow
> HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
> BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> TLS_CACERTDIR /etc/openldap/cacerts
> ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> ldap_default_authtok p@ssw0rd
> BINDDN
> uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hos
> ti
> ng
> #
>
> Client - the PAM files password-auth-ac and the system-auth-ac files are the same as
the Server:
>
> Client - nsswitch.conf:
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
> uid Manager
> gid ldap
> #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
> base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
> ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
> #
>
> Client - ldapsearch:
>
> # ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
> -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF #
> #
> LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree
> #
> filter: objectclass=* # requesting: ALL #
>
> # vmlab.ari.cdk.hosting
> dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
> objectClass: dcObject
> objectClass: organization
> dc: vmlab
> o: vmlab
>
> # Users, vmlab.ari.cdk.hosting
> dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> objectClass: organizationalUnit
> ou: Users
>
> # Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
> dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Steve xxxxxxxx
> sn: xxxxxxxx
> objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount
objectclass to user objects and the posixGroup objects to group objects. These
objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
>
> userPassword:: cEBzc3cwcmQ=
> uid: sxxxxxxxx
>
> # Bob Jones, Users, vmlab.ari.cdk.hosting
> dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Bob Jones
> sn: Jones
> objectClass: inetOrgPerson
> userPassword:: cEBzc3cwcmQ=
> uid: bjones
>
> # Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
> dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Tom xxxxxxxx
> sn: xxxxxxxx
> objectClass: inetOrgPerson
> userPassword:: cEBzc3cwcmQ=
> uid: txxxxxxxx
>
> # Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
> dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Max xxxxxxxx
> sn: xxxxxxxx
> objectClass: inetOrgPerson
> userPassword:: cEBzc3cwcmQ=
> uid: mxxxxxxxx
>
> # Platform, Users, vmlab.ari.cdk.hosting
> dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Platform
> objectClass: groupOfNames
> member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
> xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
>
> # mpitman, Users, vmlab.ari.cdk.hosting
> dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: Mike xxxxxxxx
> sn: xxxxxxxx
> objectClass: inetOrgPerson
> userPassword:: cEBzc3cwcmQ=
> uid: mxxxxxx
>
> # root, Users, vmlab.ari.cdk.hosting
> dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> cn: root
> sn: root
> objectClass: inetOrgPerson
> userPassword:: cEBzc3cwcmQ=
> uid: root
>
> # search result
> search: 3
> result: 0 Success
>
> # numResponses: 10
> #
>
>
>
> Any help much appreciated - thanks a lot.
>
>
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
> st
>
ed.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may
contain information that is privileged and confidential. If the reader of the message is
not the intended recipient or an authorized representative of the intended recipient, you
are hereby notified that any dissemination of this communication is strictly prohibited.
If you have received this communication in error, notify the sender immediately by return
email and delete the message and any attachments from your system.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org