As 1.8.0-32 is part of the latest install of RHEL 6, that's the version we need to use.
case_sensitive = false
ldap_uri = ldap://ldapservername.domain.domain.domain
ldap_search_base = dc=domain,dc=domain,dc=domain
ldap_user_search_base = dc=domain,dc=domain,dc=domain
ldap_group_search_base = dc=domain,dc=domain,dc=domain
ldap_id_use_start_tls = true
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = true
ldap_krb5_keytab = /etc/krb5.keytab
ldap_sasl_authid = host/servername.domain.domain.domain@DOMAIN.DOMAIN.DOMAIN
auth_provider = krb5
cache_credentials = true
krb5_realm = DOMAIN.DOMAIN.DOMAIN
krb5_server = ldapservername.DOMAIN.DOMAIN.DOMAIN
krb5_ccachedir = /tmp
krb5_auth_timeout = 15
ldap_user_object_class = user
ldap_user_modify_timestamp = whenChanged
ldap_user_home_directory = unixHomeDirectory
ldap_user_princical = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_shell = loginShell
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_group_object_class = group
ldap_group_modify_timestamp = whenChanged
ldap_group_name = sAMAccountName
ldap_group_gid_number = gidNumber
krb5_kpasswd = ldapservername.domain.domain.domain
access_provider = ldap
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_disable_referrals = true
[sudo]
[autofs]
[ssh]
I've tried changing around access_provider to simple or permit and it didn't work. I tried added ladp_access_filter to allow my id and tried objectClass=user and it didn't work. I modified the sssd.conf file based on another one I found at
zews.org/rhel6-active-directory
Here is the password_auth file:
auth required pam_env.so
auth sufficient
pam.unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry_3 type=
password sufficient pam_unix.so shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
nsswitch.conf has the following:
passwd: files sss
shadow: files sss
group: files sss