Hi Sumit - I have a CA.crt (self signed) on both the client and the server, and there is an option in the sssd.conf to start_tls:

 

In sssd.conf:

ldap_tls_cacertdir = /etc/openldap/cacerts

ldap_tls_reqcert = demand

cache_credentials = True

default_shell = /bin/bash

ldap_user_object_class = posixAccount

ldap_group_object_class = posixGroup

ldap_user_home_directory = homeDirectory

ldap_tls_cacert = /etc/openldap/cacerts/CA.crt

 

In /etc/openldap/ldap.conf:
ssl on

ssl start_tls

TLS_REQCERT allow

HOST ActDir-VM-Test.vmlab.ari.cdk.hosting

BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting

URI ldaps://ActDir-VM-Test.vmlab.ari.cdk.hosting:636

TLS_CACERTDIR /etc/openldap/cacerts

 

 

In /etc/openldap/cacerts on Client:

[root@SSSD-VM-Test cacerts]# ll

total 16

lrwxrwxrwx 1 root root   10 Jan 27 14:41 19913717.0 -> server.crt

-rw-r--r-- 1 root root 1025 Jan 25 09:08 CA.crt

-rw-r--r-- 1 root root  963 Jan 22 16:49 CA.key

-rw-r--r-- 1 root root   17 Jan 22 16:49 CA.srl

lrwxrwxrwx 1 root root    6 Jan 27 14:41 e639daac.0 -> CA.crt

-rw-r--r-- 1 root root  851 Jan 27 14:40 server.crt

#

 

In /etc/openldap/cacerts on LDAP Server:

[root@ActDir-VM-Test cacerts]# ll

total 24

lrwxrwxrwx 1 root root   10 Jan 25 09:14 19913717.0 -> server.crt

-rw-r--r-- 1 root root 1025 Jan 25 09:03 CA.crt

-rw-r--r-- 1 root root  963 Jan 25 09:01 CA.key

-rw-r--r-- 1 root root   17 Jan 19 10:47 CA.srl

lrwxrwxrwx 1 root root    6 Jan 25 09:14 e639daac.0 -> CA.crt

-rw-r--r-- 1 root root  851 Jan 19 10:47 server.crt

-rw-r--r-- 1 root root  720 Jan 19 10:45 server.csr

-rw-r--r-- 1 root root  887 Jan 19 10:43 server.key

#

 

 

 

I was running ldap://389, so now tried to switch to ldaps://636 – but now I am getting this on the client:
Do I need to switch to 636 for TLS/SSL – I thought 389 would also work with TLS?

 

[root@SSSD-VM-Test db]# ldapsearch -x -ZZ -H ldaps://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=*

ldap_start_tls: Can't contact LDAP server (-1)

        additional info: TLS error -8157:Certificate extension not found.

#

 

…the getent passwd and group are now not working!

 

The pam log and the domain log (sssd_vmlab.log) files do not appear to be updating on the Client:

 

-rw------- 1 root root        0 Jan 27 03:44 sssd_pam.log

-rw------- 1 root root        0 Jan 27 03:44 sssd.log

-rw------- 1 root root 12873239 Jan 27 11:04 sssd_vmlab.log

-rw------- 1 root root  2202196 Jan 27 15:11 sssd_nss.log

 

I have attached the logs for you to see in any case.

 

Many Thanks for the help Sumit.

Steve…

 

-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 27 January 2016 14:22
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7

 

On Wed, Jan 27, 2016 at 10:22:48AM +0000, Murdoch, Steven wrote:

> Hi Sumit, … forgot to mention my ldap password for the user I believe to be correct.

>

>

> These are the last 4 lines in the /var/log/secure on my client SSSD machine:

 

SSSD logs would be more useful here, especially sssd_pam and the domain logs. As a guess, SSSD does the LDAP bind for authentication only on a encrypted connection, i.e your LDAP server must support StarTLS which requires a valid certificate for the server and the CA certificate installed on the server and the SSSD client.

 

HTH

 

bye,

Sumit

 

>

> Jan 27 10:07:20 SSSD-VM-Test sshd[2240]: pam_unix(sshd:auth):

> authentication failure; logname= uid=0 euid=0 tty=ssh ruser=

> rhost=172.31.241.50  user=smurdoch Jan 27 10:07:21 SSSD-VM-Test

> sshd[2240]: pam_sss(sshd:auth): authentication failure; logname= uid=0

> euid=0 tty=ssh ruser= rhost=172.31.241.50 user=smurdoch Jan 27

> 10:07:21 SSSD-VM-Test sshd[2240]: pam_sss(sshd:auth): received for

> user smurdoch: 9 (Authentication service cannot retrieve

> authentication info) Jan 27 10:07:23 SSSD-VM-Test sshd[2240]: Failed

> password for smurdoch from 172.31.241.50 port 52391

>

>

> …thanks again

> Steve..

>

> From: Murdoch, Steve

> Sent: 27 January 2016 10:16

> To: sssd-users@lists.fedorahosted.org

> Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

> Client & Server CentOS6.7

>

>

> Hi Sumit,

>

>

>

> I am making progress - both # getent -s sss passwd and getent group now work.

> I can also su - ldapuser and I get a shell in the correct $HOME on the ldap server.

>

> But I still cannot login to the SSSD Client as an ldap user!

>

>

>

> My /var/log/secure log last line is this:

>

>

>

> SSSD-VM-Test sshd[2240]: Failed password for sxxxxxx from IP port

> 52391

>

>

>

> ...any ideas - I must be close!

>

>

>

> Thanks

>

> Steve..

>

>

>

>

>

> -----Original Message-----

> From: Sumit Bose [mailto:sbose@redhat.com]

> Sent: 27 January 2016 08:50

> To:

> sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted

> .org>

> Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client

> & Server CentOS6.7

>

>

>

> On Tue, Jan 26, 2016 at 03:08:19PM +0000, Murdoch, Steven wrote:

>

> > Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.

>

> >

>

> > Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!

>

> > (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].

>

> > (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].

>

> > (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send]

>

> > (0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016)

>

> > [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for

>

> > domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]

>

> > [sss_dp_issue_request] (0x0400): Issuing request for

>

> > [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]

>

> > [sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping.

>

> > (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor]

>

> > (0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26

> > 14:51:15

>

> > 2016) [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for

> > all

>

> > groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

>

> > (Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!

>

> > (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].

>

> > (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].

>

> > (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send]

>

> > (0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016)

>

> > [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all

>

> > groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!

>

> >

>

> >

>

> > …I have a feeling my groups setup is not correct !

>

>

>

> yes, as mentioned earlier groups need the objectclass posixGroup to have a gidNumber attribute.

>

>

>

> Please note that if you use the member attribute with the DNs of the members you have to set 'ldap_schema=rfc2307bis' (see man sssd-ldap for details).

>

>

>

> HTH

>

>

>

> bye,

>

> Sumit

>

>

>

> >

>

> > # Platform, Users, vmlab.ari.cdk.hosting

>

> > dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> > cn: Platform

>

> > objectClass: groupOfNames

>

> > member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max

>

> > xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> > member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> > member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> > member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> >

>

> > # groups, vmlab.ari.cdk.hosting

>

> > dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> > objectClass: organizationalUnit

>

> > ou: groups

>

> > description: generic groups branch

>

> >

>

> > ..or is it something else?

>

> > When I try and login via the client (SSSD VM) I get access denied.

>

> >

>

> > Thanks again.

>

> >

>

> > From: Murdoch, Steve

>

> > Sent: 26 January 2016 13:37

>

> > To: 'End-user discussions about the System Security Services Daemon'

>

> > Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

>

> > Client & Server CentOS6.7

>

> >

>

> >

>

> > Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:

>

> >

>

> >

>

> >

>

> > .....

>

> > rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin

>

> >

>

> > rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

>

> >

>

> > nfsnobody:x:65534:65534:Anonymous NFS

> > User:/var/lib/nfs:/sbin/nologin

>

> >

>

> > mxxxxxx:*:502:502:Max xxxxxx:/home/max:

>

> >

>

> > txxxxxx:*:501:501:Tom xxxxxx:/home/tom:

>

> >

>

> > sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:

>

> >

>

> > Manager:*:503:503:Manager:/home/Manager:

>

> >

>

> > mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:

>

> >

>

> > bjones:*:506:100:Bob Jones:/home/bjones:

>

> >

>

> > admin:*:507:100:admin:/home/admin:

>

> >

>

> > [root@SSSD-VM-Test db]#

>

> >

>

> >

>

> >

>

> > .. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.

>

> >

>

> > I have added a group - this is what I added:

>

> >

>

> >

>

> >

>

> > # groups, vmlab.ari.cdk.hosting

>

> >

>

> > dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > objectClass: organizationalUnit

>

> >

>

> > ou: groups

>

> >

>

> > description: generic groups branch

>

> >

>

> >

>

> >

>

> > ..is this ok - or do I need to add more lines?

>

> >

>

> >

>

> >

>

> > Many thanks for your help.

>

> >

>

> >

>

> >

>

> >

>

> >

>

> >

>

> >

>

> > -----Original Message-----

>

> > From: Murdoch, Steve

>

> > Sent: 26 January 2016 10:58

>

> > To:

>

> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahost

> > ed<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@list

> > s.fedorahosted>

>

> > .org>

>

> > Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

>

> > Client & Server CentOS6.7

>

> >

>

> >

>

> >

>

> > Hi Sumit,

>

> >

>

> >

>

> >

>

> > The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).

>

> >

>

> >

>

> >

>

> > Sorry, I am not clear what you mean:

>

> >

>

> > > you have to add the primary group with GID 100 on the LDAP server

> > > as

>

> >

>

> > > well

>

> >

>

> >

>

> >

>

> > Attached are the nss and domain logs on the SSSD Client as requested.

>

> >

>

> >

>

> >

>

> > Thanks

>

> >

>

> >

>

> >

>

> > -----Original Message-----

>

> >

>

> > From: Sumit Bose [mailto:sbose@redhat.com]

>

> >

>

> > Sent: 25 January 2016 17:24

>

> >

>

> > To:

>

> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahost

> > ed<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@list

> > s.fedorahosted>

>

> > .org>

>

> >

>

> > Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

> > Client

>

> > & Server CentOS6.7

>

> >

>

> >

>

> >

>

> > On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:

>

> >

>

> > > Hi Sumit,

>

> >

>

> > >

>

> >

>

> > > I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:

>

> >

>

> > >

>

> >

>

> > >

>

> >

>

> > > # mxxxxxx, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > cn: Mike xxxxxx

>

> >

>

> > > sn: xxxxxx

>

> >

>

> > > objectClass: inetOrgPerson

>

> >

>

> > > objectClass: posixAccount

>

> >

>

> > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > uid: mxxxxxx

>

> >

>

> > > uidNumber: 504

>

> >

>

> > > gidNumber: 100

>

> >

>

> > > homeDirectory: /home/mxxxxxx

>

> >

>

> > >

>

> >

>

> > > ..I then tried getent passwd - but same as before I only get local users !

>

> >

>

> > > Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?

>

> >

>

> >

>

> >

>

> > you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).

>

> >

>

> >

>

> >

>

> > bye,

>

> >

>

> > Sumit

>

> >

>

> >

>

> >

>

> > >

>

> >

>

> > > Thanks a lot.

>

> >

>

> > >

>

> >

>

> > > -----Original Message-----

>

> >

>

> > > From: Murdoch, Steve

>

> >

>

> > > Sent: 25 January 2016 14:55

>

> >

>

> > > To: 'End-user discussions about the System Security Services Daemon'

>

> >

>

> > > Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server

> > > -both

>

> >

>

> > > Client & Server CentOS6.7

>

> >

>

> > >

>

> >

>

> > > Hi Sumit,

>

> >

>

> > >

>

> >

>

> > > Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:

>

> >

>

> > >

>

> >

>

> > > dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > changetype: modify

>

> >

>

> > > replace: objectClass

>

> >

>

> > > objectClass: posixAccount

>

> >

>

> > > uidNumber: 504

>

> >

>

> > > userPassword: p@ssw0rd

>

> >

>

> > > cn: Mike

>

> >

>

> > > sn: xxxxxxx

>

> >

>

> > > gidNumber: 100

>

> >

>

> > > homeDirectory: /home/mxxxxxx

>

> >

>

> > >

>

> >

>

> > > I used only the first 4 lines - but it complained that I need a uidNumber  - so I added in line 5, but then I get this:

>

> >

>

> > > ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> >

>

> > >

>

> >

>

> > > ...what am I doing wrong?

>

> >

>

> > >

>

> >

>

> > > Thanks

>

> >

>

> > >

>

> >

>

> > > -----Original Message-----

>

> >

>

> > > From: Sumit Bose [mailto:sbose@redhat.com]

>

> >

>

> > > Sent: 25 January 2016 13:57

>

> >

>

> > > To:

>

> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho

> > > st<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@li

> > > sts.fedorahost>

>

> > > ed.org>

>

> >

>

> > > Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

>

> > > Client

>

> >

>

> > > & Server CentOS6.7

>

> >

>

> > >

>

> >

>

> > > On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com<mailto:steven.murdoch@cdk.com<mailto:steven.murdoch@cdk.com%3cmailto:steven.murdoch@cdk.com>> wrote:

>

> >

>

> > > >

>

> >

>

> > > > Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.

>

> >

>

> > > > # getent passwd only displays the local users - will not display

>

> > > > the

>

> >

>

> > > > LDAP users and is driving me insane - ldapsearch seems to work I

>

> > > > am

>

> >

>

> > > > using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.

>

> >

>

> > > > I used # cacertdir_rehash to create to create the sym-link to

> > > > the

>

> >

>

> > > > CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'

>

> >

>

> > > > My SSSD Client hostname is 'SSSD-VM-Test'

>

> >

>

> > > >

>

> >

>

> > > > Here are my files:

>

> >

>

> > > >

>

> >

>

> > > > Server - /etc/openldap/slapd.conf:

>

> >

>

> > > >

>

> >

>

> > > > allow bind_v2

>

> >

>

> > > > allow bind_anon_dn

>

> >

>

> > > > pidfile         /var/run/openldap/slapd.pid

>

> >

>

> > > > argsfile        /var/run/openldap/slapd.args

>

> >

>

> > > > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile

>

> >

>

> > > > /etc/openldap/cacerts/CA.crt TLSCertificateFile

>

> >

>

> > > > /etc/openldap/cacerts/server.crt TLSCertificateKeyFile

>

> >

>

> > > > /etc/openldap/cacerts/server.key TLSCipherSuite

> > > > HIGH:MEDIUM:+TLSv1

>

> >

>

> > > > TLSVerifyClient never access to

>

> >

>

> > > > dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> >

>

> > > >         by anonymous read

>

> >

>

> > > >         by * read

>

> >

>

> > > > access to dn.base=""

>

> >

>

> > > >         by anonymous none

>

> >

>

> > > >         by * read

>

> >

>

> > > > database config

>

> >

>

> > > > access to *

>

> >

>

> > > >         by

>

> > > > dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

>

> > > > manage

>

> >

>

> > > >         by * none

>

> >

>

> > > > database monitor

>

> >

>

> > > > access to *

>

> >

>

> > > >         by

>

> > > > dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"

>

> > > > read

>

> >

>

> > > >         by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> > > > read

>

> >

>

> > > >         by * none

>

> >

>

> > > > access to * by users read

>

> >

>

> > > >

>

> >

>

> > > > database        bdb

>

> >

>

> > > > suffix          "dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> >

>

> > > > checkpoint      1024 15

>

> >

>

> > > > rootdn          "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> >

>

> > > > rootpw          p@ssw0rd

>

> >

>

> > > > loglevel 256

>

> >

>

> > > > sizelimit unlimited

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Server - ldap.conf:

>

> >

>

> > > >

>

> >

>

> > > > TIMELIMIT 120

>

> >

>

> > > > ssl start_tls

>

> >

>

> > > >

>

> >

>

> > > > URI ldap://ActDir-VM-Test:389/

>

> >

>

> > > > BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > TLS_REQCERT allow

>

> >

>

> > > >

>

> >

>

> > > > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile

>

> >

>

> > > > /etc/openldap/cacerts/CA.crt #

>

> >

>

> > > >

>

> >

>

> > > > Server - /etc/sysconfig/ldap:

>

> >

>

> > > >

>

> >

>

> > > > SLAPD_LDAP=yes

>

> >

>

> > > >

>

> >

>

> > > > # Run slapd with -h "... ldapi:/// ..."

>

> >

>

> > > > #   yes/no, default: yes

>

> >

>

> > > > SLAPD_LDAPI=no

>

> >

>

> > > >

>

> >

>

> > > > # Run slapd with -h "... ldaps:/// ..."

>

> >

>

> > > > #   yes/no, default: no

>

> >

>

> > > > SLAPD_LDAPS=no

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Server - /etc/pam.d/password-auth-ac

>

> >

>

> > > >

>

> >

>

> > > > #%PAM-1.0

>

> >

>

> > > > # This file is auto-generated.

>

> >

>

> > > > # User changes will be destroyed the next time authconfig is run.

>

> >

>

> > > > auth        required      pam_env.so

>

> >

>

> > > > auth        sufficient    pam_unix.so nullok try_first_pass

>

> >

>

> > > > auth        requisite     pam_succeed_if.so uid >= 500 quiet

>

> >

>

> > > > auth        sufficient    pam_sss.so use_first_pass

>

> >

>

> > > > auth        required      pam_deny.so

>

> >

>

> > > >

>

> >

>

> > > > account     required      pam_unix.so broken_shadow

>

> >

>

> > > > account     sufficient    pam_localuser.so

>

> >

>

> > > > account     sufficient    pam_succeed_if.so uid < 500 quiet

>

> >

>

> > > > account     [default=bad success=ok user_unknown=ignore] pam_sss.so

>

> >

>

> > > > account     required      pam_permit.so

>

> >

>

> > > >

>

> >

>

> > > > password    requisite     pam_cracklib.so try_first_pass retry=3 type=

>

> >

>

> > > > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

>

> >

>

> > > > password    sufficient    pam_sss.so use_authtok

>

> >

>

> > > > password    required      pam_deny.so

>

> >

>

> > > >

>

> >

>

> > > > session     optional      pam_keyinit.so revoke

>

> >

>

> > > > session     required      pam_limits.so

>

> >

>

> > > > session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

>

> >

>

> > > > session     required      pam_unix.so

>

> >

>

> > > > session     optional      pam_sss.so

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Server: - /etc/pam.d/system-auth-ac

>

> >

>

> > > >

>

> >

>

> > > > #%PAM-1.0

>

> >

>

> > > > # This file is auto-generated.

>

> >

>

> > > > # User changes will be destroyed the next time authconfig is run.

>

> >

>

> > > > auth        required      pam_env.so

>

> >

>

> > > > auth        sufficient    pam_unix.so nullok try_first_pass

>

> >

>

> > > > auth        requisite     pam_succeed_if.so uid >= 500 quiet

>

> >

>

> > > > auth        sufficient    pam_sss.so use_first_pass

>

> >

>

> > > > auth        required      pam_deny.so

>

> >

>

> > > >

>

> >

>

> > > > account     required      pam_unix.so broken_shadow

>

> >

>

> > > > account     sufficient    pam_localuser.so

>

> >

>

> > > > account     sufficient    pam_succeed_if.so uid < 500 quiet

>

> >

>

> > > > account     [default=bad success=ok user_unknown=ignore] pam_sss.so

>

> >

>

> > > > account     required      pam_permit.so

>

> >

>

> > > >

>

> >

>

> > > > password    requisite     pam_cracklib.so try_first_pass retry=3 type=

>

> >

>

> > > > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

>

> >

>

> > > > password    sufficient    pam_sss.so use_authtok

>

> >

>

> > > > password    required      pam_deny.so

>

> >

>

> > > >

>

> >

>

> > > > session     optional      pam_keyinit.so revoke

>

> >

>

> > > > session     required      pam_limits.so

>

> >

>

> > > > session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

>

> >

>

> > > > session     required      pam_unix.so

>

> >

>

> > > > session     optional      pam_sss.so

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Server - /etc/nsswitch.conf

>

> >

>

> > > >

>

> >

>

> > > > passwd:     files sss

>

> >

>

> > > > shadow:     files sss

>

> >

>

> > > > group:      files sss

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > > Client - /etc/sssd/sssd.conf:

>

> >

>

> > > >

>

> >

>

> > > > [sssd]

>

> >

>

> > > > services = nss, pam

>

> >

>

> > > > config_file_version = 2

>

> >

>

> > > > domains = vmlab

>

> >

>

> > > >

>

> >

>

> > > > authconfig --enablesssd --enablesssdauth --enablelocauthorize

>

> >

>

> > > > --enableldap --enableldaptls --enableldapauth

>

> >

>

> > > > --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389

>

> >

>

> > > > --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5

>

> >

>

> > > > --disablenis --enablerfc2307bis --enablemkhomedir

>

> > > > --enablecachecreds

>

> >

>

> > > > --update

>

> >

>

> > > >

>

> >

>

> > > > [domain/vmlab]

>

> >

>

> > > >

>

> >

>

> > > > id_provider = ldap

>

> >

>

> > > > auth_provider = ldap

>

> >

>

> > > >

>

> >

>

> > > > # Timming

>

> >

>

> > > > entry_cache_timeout = 600

>

> >

>

> > > > ldap_network_timeout = 3

>

> >

>

> > > >

>

> >

>

> > > > ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389

>

> >

>

> > > > ldap_user_search_base =

>

> >

>

> > > > dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > ldap_tls_reqcert = demand

>

> >

>

> > > > cache_credentials = True

>

> >

>

> > > >

>

> >

>

> > > > ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =

>

> >

>

> > > > memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,D

> > > > C=

>

> > > > cd

>

> >

>

> > > > k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt

>

> >

>

> > > > ldap_tls_reqcert = demand ldap_default_bind_dn =

>

> >

>

> > > > cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > ldap_default_authtok_type = password ldap_default_authtok =

>

> > > > p@ssw0rd

>

> >

>

> > > > enumerate = true

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > > [nss]

>

> >

>

> > > > filter_users = root, sshd, named, avahi, haldaemon, dbus,

> > > > radiusd,

>

> >

>

> > > > news, nscd filter_groups = root, sshd, named, avahi, haldaemon,

>

> >

>

> > > > dbus, radiusd, news, nscd reconnection_retries = 3

>

> >

>

> > > > entry_cache_timeout = 300 entry_cache_nowait_percentage = 75

>

> >

>

> > > > debug_level = 6

>

> >

>

> > > >

>

> >

>

> > > > [pam]

>

> >

>

> > > > reconnection_retries = 3

>

> >

>

> > > > #

>

> >

>

> > > > The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > > Client - /etc/openldap/ldap.conf:

>

> >

>

> > > >

>

> >

>

> > > > idle_timelimit  3600

>

> >

>

> > > > TIMELIMIT       120

>

> >

>

> > > > bind_timelimit  120

>

> >

>

> > > >

>

> >

>

> > > > SASL_NOCANON    on

>

> >

>

> > > > TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile

>

> >

>

> > > > /etc/openldap/cacerts/CA.crt

>

> >

>

> > > >

>

> >

>

> > > > #TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT

>

> >

>

> > > > /etc/openldap/cacerts/CA.crt #TLS_CACERT

>

> >

>

> > > > /etc/openldap/cacerts/19913717.0

>

> >

>

> > > >

>

> >

>

> > > > ssl start_tls

>

> >

>

> > > > TLS_REQCERT allow

>

> >

>

> > > > HOST ActDir-VM-Test.vmlab.ari.cdk.hosting

>

> >

>

> > > > BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389

>

> >

>

> > > > TLS_CACERTDIR /etc/openldap/cacerts

>

> >

>

> > > > ldap_default_bind_dn

> > > > cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > ldap_default_authtok p@ssw0rd

>

> >

>

> > > > BINDDN

>

> >

>

> > > > uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc

> > > > =h

>

> > > > os

>

> >

>

> > > > ti

>

> >

>

> > > > ng

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:

>

> >

>

> > > >

>

> >

>

> > > > Client - nsswitch.conf:

>

> >

>

> > > >

>

> >

>

> > > > passwd:     files sss

>

> >

>

> > > > shadow:     files sss

>

> >

>

> > > > group:      files sss

>

> >

>

> > > >

>

> >

>

> > > > uid Manager

>

> >

>

> > > > gid ldap

>

> >

>

> > > > #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting

>

> >

>

> > > > base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri

>

> >

>

> > > > ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > > Client - ldapsearch:

>

> >

>

> > > >

>

> >

>

> > > > # ldapsearch -x -ZZ -H

> > > > ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting

>

> >

>

> > > > -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended

> > > > LDIF

>

> > > > #

>

> >

>

> > > > #

>

> >

>

> > > > LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope

>

> > > > subtree

>

> >

>

> > > > #

>

> >

>

> > > > filter: objectclass=* # requesting: ALL #

>

> >

>

> > > >

>

> >

>

> > > > # vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > objectClass: dcObject

>

> >

>

> > > > objectClass: organization

>

> >

>

> > > > dc: vmlab

>

> >

>

> > > > o: vmlab

>

> >

>

> > > >

>

> >

>

> > > > # Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > objectClass: organizationalUnit

>

> >

>

> > > > ou: Users

>

> >

>

> > > >

>

> >

>

> > > > # Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Steve  xxxxxxxx

>

> >

>

> > > > sn: xxxxxxxx

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > >

>

> >

>

> > > The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.

>

> >

>

> > >

>

> >

>

> > > HTH

>

> >

>

> > >

>

> >

>

> > > bye,

>

> >

>

> > > Sumit

>

> >

>

> > > >

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: sxxxxxxxx

>

> >

>

> > > >

>

> >

>

> > > > # Bob Jones, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Bob Jones

>

> >

>

> > > > sn: Jones

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: bjones

>

> >

>

> > > >

>

> >

>

> > > > # Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Tom xxxxxxxx

>

> >

>

> > > > sn: xxxxxxxx

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: txxxxxxxx

>

> >

>

> > > >

>

> >

>

> > > > # Max xxxxxxxx, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Max xxxxxxxx

>

> >

>

> > > > sn: xxxxxxxx

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: mxxxxxxxx

>

> >

>

> > > >

>

> >

>

> > > > # Platform, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Platform

>

> >

>

> > > > objectClass: groupOfNames

>

> >

>

> > > > member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max

>

> >

>

> > > > xxxxxxxx,ou=Users  ,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > member: cn=Rod

> > > > Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > member: cn=Steve

>

> > > > xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > member: cn=Tom

> > > > xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > >

>

> >

>

> > > > # mpitman, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: Mike xxxxxxxx

>

> >

>

> > > > sn: xxxxxxxx

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: mxxxxxx

>

> >

>

> > > >

>

> >

>

> > > > # root, Users, vmlab.ari.cdk.hosting

>

> >

>

> > > > dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

>

> >

>

> > > > cn: root

>

> >

>

> > > > sn: root

>

> >

>

> > > > objectClass: inetOrgPerson

>

> >

>

> > > > userPassword:: cEBzc3cwcmQ=

>

> >

>

> > > > uid: root

>

> >

>

> > > >

>

> >

>

> > > > # search result

>

> >

>

> > > > search: 3

>

> >

>

> > > > result: 0 Success

>

> >

>

> > > >

>

> >

>

> > > > # numResponses: 10

>

> >

>

> > > > #

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > > Any help much appreciated - thanks a lot.

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > >

>

> >

>

> > > > _______________________________________________

>

> >

>

> > > > sssd-users mailing list

>

> >

>

> > > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedora

> > > > ho<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@

> > > > lists.fedoraho>

>

> > > > sted.org>

>

> >

>

> > > > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedo

> > > > ra

>

> > > > ho

>

> >

>

> > > > st

>

> >

>

> > > > ed.org

>

> >

>

> > > _______________________________________________

>

> >

>

> > > sssd-users mailing list

>

> >

>

> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho

> > > st<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@li

> > > sts.fedorahost>

>

> > > ed.org>

>

> >

>

> > > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedora

> > > ho

>

> > > st

>

> >

>

> > > ed.org

>

> >

>

> > >

>

> >

>

> > > ------------------------------------------------------------------

> > > --

>

> > > --

>

> >

>

> > > This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.

>

> >

>

> > > _______________________________________________

>

> >

>

> > > sssd-users mailing list

>

> >

>

> > > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedoraho

> > > st<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@li

> > > sts.fedorahost>

>

> > > ed.org>

>

> >

>

> > > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedora

> > > ho

>

> > > st

>

> >

>

> > > ed.org

>

> >

>

> > _______________________________________________

>

> >

>

> > sssd-users mailing list

>

> >

>

> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahost

> > ed<mailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@list

> > s.fedorahosted>

>

> > .org>

>

> >

>

> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho

> > st

>

> > ed.org

>

>

>

> > _______________________________________________

>

> > sssd-users mailing list

>

> > sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahost

> > ed.org>

>

> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho

> > st

>

> > ed.org

>

> _______________________________________________

>

> sssd-users mailing list

>

> sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted

> .org>

>

> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost

> ed.org

 

> _______________________________________________

> sssd-users mailing list

> sssd-users@lists.fedorahosted.org

> https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost

> ed.org

_______________________________________________

sssd-users mailing list

sssd-users@lists.fedorahosted.org

https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org