On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the
client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the
ldap users?
you have to add the primary group with GID 100 on the LDAP server as
well. If this still does not work please attach the nss and domain logs
(see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
>
> Thanks a lot.
>
> -----Original Message-----
> From: Murdoch, Steve
> Sent: 25 January 2016 14:55
> To: 'End-user discussions about the System Security Services Daemon'
> Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client &
Server CentOS6.7
>
> Hi Sumit,
>
> Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
>
> dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> changetype: modify
> replace: objectClass
> objectClass: posixAccount
> uidNumber: 504
> userPassword: p@ssw0rd
> cn: Mike
> sn: xxxxxxx
> gidNumber: 100
> homeDirectory: /home/mxxxxxx
>
> I used only the first 4 lines - but it complained that I need a uidNumber - so I
added in line 5, but then I get this:
> ldapmodify: wrong attributeType at line 5, entry
"uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
>
> ...what am I doing wrong?
>
> Thanks
>
> -----Original Message-----
> From: Sumit Bose [mailto:sbose@redhat.com]
> Sent: 25 January 2016 13:57
> To: sssd-users(a)lists.fedorahosted.org
> Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
>
> On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch(a)cdk.com wrote:
> >
> > Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
> > # getent passwd only displays the local users - will not display the
> > LDAP users and is driving me insane - ldapsearch seems to work I am
> > using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self
signed certificates.
> > I used # cacertdir_rehash to create to create the sym-link to the
> > CA.crt on both Client and Server My LDAP Server hostname is
'ActDir-VM-Test'
> > My SSSD Client hostname is 'SSSD-VM-Test'
> >
> > Here are my files:
> >
> > Server - /etc/openldap/slapd.conf:
> >
> > allow bind_v2
> > allow bind_anon_dn
> > pidfile /var/run/openldap/slapd.pid
> > argsfile /var/run/openldap/slapd.args
> > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> > /etc/openldap/cacerts/CA.crt TLSCertificateFile
> > /etc/openldap/cacerts/server.crt TLSCertificateKeyFile
> > /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
> > TLSVerifyClient never access to
> > dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> > by anonymous read
> > by * read
> > access to dn.base=""
> > by anonymous none
> > by * read
> > database config
> > access to *
> > by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
> > by * none
> > database monitor
> > access to *
> > by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
> > by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
read
> > by * none
> > access to * by users read
> >
> > database bdb
> > suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> > checkpoint 1024 15
> > rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
> > rootpw p@ssw0rd
> > loglevel 256
> > sizelimit unlimited
> > #
> >
> > Server - ldap.conf:
> >
> > TIMELIMIT 120
> > ssl start_tls
> >
> > URI ldap://ActDir-VM-Test:389/
> > BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > TLS_REQCERT allow
> >
> > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> > /etc/openldap/cacerts/CA.crt #
> >
> > Server - /etc/sysconfig/ldap:
> >
> > SLAPD_LDAP=yes
> >
> > # Run slapd with -h "... ldapi:/// ..."
> > # yes/no, default: yes
> > SLAPD_LDAPI=no
> >
> > # Run slapd with -h "... ldaps:/// ..."
> > # yes/no, default: no
> > SLAPD_LDAPS=no
> > #
> >
> > Server - /etc/pam.d/password-auth-ac
> >
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_sss.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3 type=
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
> > password sufficient pam_sss.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> > session required pam_unix.so
> > session optional pam_sss.so
> > #
> >
> > Server: - /etc/pam.d/system-auth-ac
> >
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth required pam_env.so
> > auth sufficient pam_unix.so nullok try_first_pass
> > auth requisite pam_succeed_if.so uid >= 500 quiet
> > auth sufficient pam_sss.so use_first_pass
> > auth required pam_deny.so
> >
> > account required pam_unix.so broken_shadow
> > account sufficient pam_localuser.so
> > account sufficient pam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_sss.so
> > account required pam_permit.so
> >
> > password requisite pam_cracklib.so try_first_pass retry=3 type=
> > password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
> > password sufficient pam_sss.so use_authtok
> > password required pam_deny.so
> >
> > session optional pam_keyinit.so revoke
> > session required pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
> > session required pam_unix.so
> > session optional pam_sss.so
> > #
> >
> > Server - /etc/nsswitch.conf
> >
> > passwd: files sss
> > shadow: files sss
> > group: files sss
> > #
> >
> >
> >
> > Client - /etc/sssd/sssd.conf:
> >
> > [sssd]
> > services = nss, pam
> > config_file_version = 2
> > domains = vmlab
> >
> > authconfig --enablesssd --enablesssdauth --enablelocauthorize
> > --enableldap --enableldaptls --enableldapauth
> > --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> > --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
> > --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
> > --update
> >
> > [domain/vmlab]
> >
> > id_provider = ldap
> > auth_provider = ldap
> >
> > # Timming
> > entry_cache_timeout = 600
> > ldap_network_timeout = 3
> >
> > ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> > ldap_user_search_base =
> > dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > ldap_tls_reqcert = demand
> > cache_credentials = True
> >
> > ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
> > memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk,
> > DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
> > ldap_tls_reqcert = demand ldap_default_bind_dn =
> > cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > ldap_default_authtok_type = password
> > ldap_default_authtok = p@ssw0rd
> > enumerate = true
> >
> >
> > [nss]
> > filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
> > news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus,
> > radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300
> > entry_cache_nowait_percentage = 75 debug_level = 6
> >
> > [pam]
> > reconnection_retries = 3
> > #
> > The enumerate = True will only be enabled during testing - if I ever get it
working - then it will be removed.
> >
> >
> > Client - /etc/openldap/ldap.conf:
> >
> > idle_timelimit 3600
> > TIMELIMIT 120
> > bind_timelimit 120
> >
> > SASL_NOCANON on
> > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
> > /etc/openldap/cacerts/CA.crt
> >
> > #TLS_CACERTDIR /etc/openldap/cacerts
> > #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT
> > /etc/openldap/cacerts/19913717.0
> >
> > ssl start_tls
> > TLS_REQCERT allow
> > HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
> > BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
> > TLS_CACERTDIR /etc/openldap/cacerts
> > ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > ldap_default_authtok p@ssw0rd
> > BINDDN
> > uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti
> > ng
> > #
> >
> > Client - the PAM files password-auth-ac and the system-auth-ac files are the
same as the Server:
> >
> > Client - nsswitch.conf:
> >
> > passwd: files sss
> > shadow: files sss
> > group: files sss
> >
> > uid Manager
> > gid ldap
> > #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
> > base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
> > ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
> > #
> >
> > Client - ldapsearch:
> >
> > # ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b
> > dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # #
> > LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree #
> > filter: objectclass=* # requesting: ALL #
> >
> > # vmlab.ari.cdk.hosting
> > dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > objectClass: dcObject
> > objectClass: organization
> > dc: vmlab
> > o: vmlab
> >
> > # Users, vmlab.ari.cdk.hosting
> > dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > objectClass: organizationalUnit
> > ou: Users
> >
> > # Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
> > dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Steve xxxxxxxx
> > sn: xxxxxxxx
> > objectClass: inetOrgPerson
>
> The inetOrgPerson objectclass is not sufficient you need to add the posixAccount
objectclass to user objects and the posixGroup objects to group objects. These
objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
>
> HTH
>
> bye,
> Sumit
> >
> > userPassword:: cEBzc3cwcmQ=
> > uid: sxxxxxxxx
> >
> > # Bob Jones, Users, vmlab.ari.cdk.hosting
> > dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Bob Jones
> > sn: Jones
> > objectClass: inetOrgPerson
> > userPassword:: cEBzc3cwcmQ=
> > uid: bjones
> >
> > # Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
> > dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Tom xxxxxxxx
> > sn: xxxxxxxx
> > objectClass: inetOrgPerson
> > userPassword:: cEBzc3cwcmQ=
> > uid: txxxxxxxx
> >
> > # Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
> > dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Max xxxxxxxx
> > sn: xxxxxxxx
> > objectClass: inetOrgPerson
> > userPassword:: cEBzc3cwcmQ=
> > uid: mxxxxxxxx
> >
> > # Platform, Users, vmlab.ari.cdk.hosting
> > dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Platform
> > objectClass: groupOfNames
> > member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
> > xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> >
> > # mpitman, Users, vmlab.ari.cdk.hosting
> > dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: Mike xxxxxxxx
> > sn: xxxxxxxx
> > objectClass: inetOrgPerson
> > userPassword:: cEBzc3cwcmQ=
> > uid: mxxxxxx
> >
> > # root, Users, vmlab.ari.cdk.hosting
> > dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
> > cn: root
> > sn: root
> > objectClass: inetOrgPerson
> > userPassword:: cEBzc3cwcmQ=
> > uid: root
> >
> > # search result
> > search: 3
> > result: 0 Success
> >
> > # numResponses: 10
> > #
> >
> >
> >
> > Any help much appreciated - thanks a lot.
> >
> >
> >
> >
> > _______________________________________________
> > sssd-users mailing list
> > sssd-users(a)lists.fedorahosted.org
> >
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
> >
ed.org
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
>
> ----------------------------------------------------------------------
> This message and any attachments are intended only for the use of the addressee and
may contain information that is privileged and confidential. If the reader of the message
is not the intended recipient or an authorized representative of the intended recipient,
you are hereby notified that any dissemination of this communication is strictly
prohibited. If you have received this communication in error, notify the sender
immediately by return email and delete the message and any attachments from your system.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org