Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk,DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk,DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify replace: objectClass objectClass: posixAccount uidNumber: 504 userPassword: p@ssw0rd cn: Mike sn: xxxxxxx gidNumber: 100 homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this: ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 13:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti ng #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
---------------------------------------------------------------------- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
On Mon, Jan 25, 2016 at 02:55:22PM +0000, Murdoch, Steven wrote:
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify replace: objectClass objectClass: posixAccount uidNumber: 504 userPassword: p@ssw0rd cn: Mike sn: xxxxxxx gidNumber: 100 homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this: ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Please see e.g. 'man ldapmodify' for a description of the ldif format.
You do not need to replace the objectClass, just add an additional one. But you have to add the new attributes:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify add: objectClass objectClass: posixAccount - add: uidNumber uidNumber: 504 - ...
might work better. Please note that ldif is quite picky, there should be no trailing whitespaces.
HTH
bye, Sumit
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 13:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti ng #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxx sn: xxxxxx objectClass: inetOrgPerson objectClass: posixAccount userPassword:: cEBzc3cwcmQ= uid: mxxxxxx uidNumber: 504 gidNumber: 100 homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users ! Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
Thanks a lot.
-----Original Message----- From: Murdoch, Steve Sent: 25 January 2016 14:55 To: 'End-user discussions about the System Security Services Daemon' Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify replace: objectClass objectClass: posixAccount uidNumber: 504 userPassword: p@ssw0rd cn: Mike sn: xxxxxxx gidNumber: 100 homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this: ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 13:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti ng #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
---------------------------------------------------------------------- This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxx sn: xxxxxx objectClass: inetOrgPerson objectClass: posixAccount userPassword:: cEBzc3cwcmQ= uid: mxxxxxx uidNumber: 504 gidNumber: 100 homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users ! Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye, Sumit
Thanks a lot.
-----Original Message----- From: Murdoch, Steve Sent: 25 January 2016 14:55 To: 'End-user discussions about the System Security Services Daemon' Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify replace: objectClass objectClass: posixAccount uidNumber: 504 userPassword: p@ssw0rd cn: Mike sn: xxxxxxx gidNumber: 100 homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this: ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 13:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cdk, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosti ng #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 17:24 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxx sn: xxxxxx objectClass: inetOrgPerson objectClass: posixAccount userPassword:: cEBzc3cwcmQ= uid: mxxxxxx uidNumber: 504 gidNumber: 100 homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users ! Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye, Sumit
Thanks a lot.
-----Original Message----- From: Murdoch, Steve Sent: 25 January 2016 14:55 To: 'End-user discussions about the System Security Services Daemon' Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting changetype: modify replace: objectClass objectClass: posixAccount uidNumber: 504 userPassword: p@ssw0rd cn: Mike sn: xxxxxxx gidNumber: 100 homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this: ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 25 January 2016 13:57 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me. # getent passwd only displays the local users - will not display the LDAP users and is driving me insane - ldapsearch seems to work I am using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates. I used # cacertdir_rehash to create to create the sym-link to the CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test' My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2 allow bind_anon_dn pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt TLSCertificateFile /etc/openldap/cacerts/server.crt TLSCertificateKeyFile /etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1 TLSVerifyClient never access to dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting" by anonymous read by * read access to dn.base="" by anonymous none by * read database config access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none database monitor access to * by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read by * none access to * by users read
database bdb suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting" checkpoint 1024 15 rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" rootpw p@ssw0rd loglevel 256 sizelimit unlimited #
Server - ldap.conf:
TIMELIMIT 120 ssl start_tls
URI ldap://ActDir-VM-Test:389/ BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..." # yes/no, default: no SLAPD_LDAPS=no #
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so #
Server - /etc/nsswitch.conf
passwd: files sss shadow: files sss group: files sss #
Client - /etc/sssd/sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldaptls --enableldapauth --ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 --ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5 --disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds --update
[domain/vmlab]
id_provider = ldap auth_provider = ldap
# Timming entry_cache_timeout = 600 ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 ldap_user_search_base = dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_tls_reqcert = demand cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter = memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cd k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt ldap_tls_reqcert = demand ldap_default_bind_dn = cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd enumerate = true
[nss] filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd filter_groups = root, sshd, named, avahi, haldaemon, dbus, radiusd, news, nscd reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 debug_level = 6
[pam] reconnection_retries = 3 # The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600 TIMELIMIT 120 bind_timelimit 120
SASL_NOCANON on TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile /etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT /etc/openldap/cacerts/CA.crt #TLS_CACERT /etc/openldap/cacerts/19913717.0
ssl start_tls TLS_REQCERT allow HOST ActDir-VM-Test.vmlab.ari.cdk.hosting BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389 TLS_CACERTDIR /etc/openldap/cacerts ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting ldap_default_authtok p@ssw0rd BINDDN uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hos ti ng #
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss shadow: files sss group: files sss
uid Manager gid ldap #base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting #
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting -b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF # # LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree # filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: dcObject objectClass: organization dc: vmlab o: vmlab
# Users, vmlab.ari.cdk.hosting dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Steve xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye, Sumit
userPassword:: cEBzc3cwcmQ= uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Bob Jones sn: Jones objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Tom xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Max xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Mike xxxxxxxx sn: xxxxxxxx objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: root sn: root objectClass: inetOrgPerson userPassword:: cEBzc3cwcmQ= uid: root
# search result search: 3 result: 0 Success
# numResponses: 10 #
Any help much appreciated - thanks a lot.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho st ed.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost ed.org
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Tue, Jan 26, 2016 at 10:57:53AM +0000, Murdoch, Steven wrote:
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as well
Attached are the nss and domain logs on the SSSD Client as requested.
It looks the only interesting request in the nss logs:
(Mon Jan 25 10:18:21 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [bjones].
is not covered in the domain log which ends 30s earlier. Can you add the missing part of the domain log or send new logs which both cover the request?
bye, Sumit
Thanks
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
..... rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message----- From: Murdoch, Steve Sent: 26 January 2016 10:58 To: sssd-users@lists.fedorahosted.org Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.commailto:steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display the
LDAP users and is driving me insane - ldapsearch seems to work I am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cd
k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
dbus, radiusd, news, nscd reconnection_retries = 3
entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
/etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hos
ti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
-b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF #
#
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree
#
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.
Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send] (0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send] (0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
…I have a feeling my groups setup is not correct !
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# groups, vmlab.ari.cdk.hosting dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: groups description: generic groups branch
..or is it something else? When I try and login via the client (SSSD VM) I get access denied.
Thanks again.
From: Murdoch, Steve Sent: 26 January 2016 13:37 To: 'End-user discussions about the System Security Services Daemon' Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
..... rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message----- From: Murdoch, Steve Sent: 26 January 2016 10:58 To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.commailto:steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display the
LDAP users and is driving me insane - ldapsearch seems to work I am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cd
k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
dbus, radiusd, news, nscd reconnection_retries = 3
entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
/etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hos
ti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
-b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF #
#
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree
#
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Tue, Jan 26, 2016 at 03:08:19PM +0000, Murdoch, Steven wrote:
Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.
Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send] (0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping. (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected! (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send] (0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
…I have a feeling my groups setup is not correct !
yes, as mentioned earlier groups need the objectclass posixGroup to have a gidNumber attribute.
Please note that if you use the member attribute with the DNs of the members you have to set 'ldap_schema=rfc2307bis' (see man sssd-ldap for details).
HTH
bye, Sumit
# Platform, Users, vmlab.ari.cdk.hosting dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting cn: Platform objectClass: groupOfNames member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# groups, vmlab.ari.cdk.hosting dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting objectClass: organizationalUnit ou: groups description: generic groups branch
..or is it something else? When I try and login via the client (SSSD VM) I get access denied.
Thanks again.
From: Murdoch, Steve Sent: 26 January 2016 13:37 To: 'End-user discussions about the System Security Services Daemon' Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
..... rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message----- From: Murdoch, Steve Sent: 26 January 2016 10:58 To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.commailto:steven.murdoch@cdk.com wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display the
LDAP users and is driving me insane - ldapsearch seems to work I am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting" read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir --enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=cd
k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password ldap_default_authtok = p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
dbus, radiusd, news, nscd reconnection_retries = 3
entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
/etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hos
ti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
-b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF #
#
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope subtree
#
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit,
I am making progress - both # getent -s sss passwd and getent group now work. I can also su - ldapuser and I get a shell in the correct $HOME on the ldap server.
But I still cannot login to the SSSD Client as an ldap user!
My /var/log/secure log last line is this:
SSSD-VM-Test sshd[2240]: Failed password for sxxxxxx from IP port 52391
...any ideas - I must be close!
Thanks
Steve..
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 27 January 2016 08:50 To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Tue, Jan 26, 2016 at 03:08:19PM +0000, Murdoch, Steven wrote:
Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.
Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016)
[sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for
domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_issue_request] (0x0400): Issuing request for
[0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping.
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15
- [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016)
[sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
…I have a feeling my groups setup is not correct !
yes, as mentioned earlier groups need the objectclass posixGroup to have a gidNumber attribute.
Please note that if you use the member attribute with the DNs of the members you have to set 'ldap_schema=rfc2307bis' (see man sssd-ldap for details).
HTH
bye,
Sumit
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max
xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..or is it something else?
When I try and login via the client (SSSD VM) I get access denied.
Thanks again.
From: Murdoch, Steve
Sent: 26 January 2016 13:37
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
.....
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message-----
From: Murdoch, Steve
Sent: 26 January 2016 10:58
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com<mailto:steven.murdoch@cdk.commailto:steven.murdoch@cdk.com%3cmailto:steven.murdoch@cdk.com> wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display
the
LDAP users and is driving me insane - ldapsearch seems to work I
am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
database monitor
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir
--enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=
cd
k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password ldap_default_authtok =
p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
dbus, radiusd, news, nscd reconnection_retries = 3
entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
/etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=h
os
ti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
-b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF
#
#
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope
subtree
#
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve
xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahomailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedoraho
sted.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedora
ho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
--
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
Hi Sumit, … forgot to mention my ldap password for the user I believe to be correct.
These are the last 4 lines in the /var/log/secure on my client SSSD machine:
Jan 27 10:07:20 SSSD-VM-Test sshd[2240]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.241.50 user=smurdoch Jan 27 10:07:21 SSSD-VM-Test sshd[2240]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.241.50 user=smurdoch Jan 27 10:07:21 SSSD-VM-Test sshd[2240]: pam_sss(sshd:auth): received for user smurdoch: 9 (Authentication service cannot retrieve authentication info) Jan 27 10:07:23 SSSD-VM-Test sshd[2240]: Failed password for smurdoch from 172.31.241.50 port 52391
…thanks again Steve..
From: Murdoch, Steve Sent: 27 January 2016 10:16 To: sssd-users@lists.fedorahosted.org Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
I am making progress - both # getent -s sss passwd and getent group now work. I can also su - ldapuser and I get a shell in the correct $HOME on the ldap server.
But I still cannot login to the SSSD Client as an ldap user!
My /var/log/secure log last line is this:
SSSD-VM-Test sshd[2240]: Failed password for sxxxxxx from IP port 52391
...any ideas - I must be close!
Thanks
Steve..
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 27 January 2016 08:50 To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Tue, Jan 26, 2016 at 03:08:19PM +0000, Murdoch, Steven wrote:
Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.
Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016)
[sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for
domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_issue_request] (0x0400): Issuing request for
[0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping.
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15
- [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016)
[sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
…I have a feeling my groups setup is not correct !
yes, as mentioned earlier groups need the objectclass posixGroup to have a gidNumber attribute.
Please note that if you use the member attribute with the DNs of the members you have to set 'ldap_schema=rfc2307bis' (see man sssd-ldap for details).
HTH
bye,
Sumit
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max
xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..or is it something else?
When I try and login via the client (SSSD VM) I get access denied.
Thanks again.
From: Murdoch, Steve
Sent: 26 January 2016 13:37
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
.....
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message-----
From: Murdoch, Steve
Sent: 26 January 2016 10:58
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com<mailto:steven.murdoch@cdk.commailto:steven.murdoch@cdk.com%3cmailto:steven.murdoch@cdk.com> wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display
the
LDAP users and is driving me insane - ldapsearch seems to work I
am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
database monitor
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf:
[sssd]
services = nss, pam
config_file_version = 2
domains = vmlab
authconfig --enablesssd --enablesssdauth --enablelocauthorize
--enableldap --enableldaptls --enableldapauth
--ldapserver=ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
--ldapbasedn=dc=vmlab,dc=ari,dc=cdk,dc=hosting --disablekrb5
--disablenis --enablerfc2307bis --enablemkhomedir
--enablecachecreds
--update
[domain/vmlab]
id_provider = ldap
auth_provider = ldap
# Timming
entry_cache_timeout = 600
ldap_network_timeout = 3
ldap_uri = ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
ldap_user_search_base =
dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_tls_reqcert = demand
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_access_filter =
memberOf=CN=Manager,OU=Users,DC=ActDir-VM-Test,DC=vmlab,DC=ari,DC=
cd
k, DC=hosting ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
ldap_tls_reqcert = demand ldap_default_bind_dn =
cn=Manager,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok_type = password ldap_default_authtok =
p@ssw0rd
enumerate = true
[nss]
filter_users = root, sshd, named, avahi, haldaemon, dbus, radiusd,
news, nscd filter_groups = root, sshd, named, avahi, haldaemon,
dbus, radiusd, news, nscd reconnection_retries = 3
entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
debug_level = 6
[pam]
reconnection_retries = 3
#
The enumerate = True will only be enabled during testing - if I ever get it working - then it will be removed.
Client - /etc/openldap/ldap.conf:
idle_timelimit 3600
TIMELIMIT 120
bind_timelimit 120
SASL_NOCANON on
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt
#TLS_CACERTDIR /etc/openldap/cacerts #TLS_CACERT
/etc/openldap/cacerts/CA.crt #TLS_CACERT
/etc/openldap/cacerts/19913717.0
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting:389
TLS_CACERTDIR /etc/openldap/cacerts
ldap_default_bind_dn cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
ldap_default_authtok p@ssw0rd
BINDDN
uid=Manager,ou=Users,dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=h
os
ti
ng
#
Client - the PAM files password-auth-ac and the system-auth-ac files are the same as the Server:
Client - nsswitch.conf:
passwd: files sss
shadow: files sss
group: files sss
uid Manager
gid ldap
#base CN=vmlab,OU=Users,DC=vmlab,DC=ari,DC=cdk,DC=hosting
base DC=vmlab,DC=ari,DC=cdk,DC=hosting uri
ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
#
Client - ldapsearch:
# ldapsearch -x -ZZ -H ldap://ActDir-VM-Test.vmlab.ari.cdk.hosting
-b dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=* # extended LDIF
#
#
LDAPv3 # base <dc=vmlab,dc=ari,dc=cdk,dc=hosting> with scope
subtree
#
filter: objectclass=* # requesting: ALL #
# vmlab.ari.cdk.hosting
dn: dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: dcObject
objectClass: organization
dc: vmlab
o: vmlab
# Users, vmlab.ari.cdk.hosting
dn: ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: Users
# Steve xxxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Steve Murdoch,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Steve xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
The inetOrgPerson objectclass is not sufficient you need to add the posixAccount objectclass to user objects and the posixGroup objects to group objects. These objectclasses are needed to e.g. provided the POSIX UIDs and GIDs.
HTH
bye,
Sumit
userPassword:: cEBzc3cwcmQ=
uid: sxxxxxxxx
# Bob Jones, Users, vmlab.ari.cdk.hosting
dn: cn=Bob Jones,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Bob Jones
sn: Jones
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: bjones
# Tom xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Tom xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: txxxxxxxx
# Max xxxxxxxx, Users, vmlab.ari.cdk.hosting
dn: cn=Max xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Max xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxxxx
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxxxx,cn=Tom xxxxxxxx,cn=Max
xxxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod Stewart,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve
xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# mpitman, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxxxx
sn: xxxxxxxx
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
# root, Users, vmlab.ari.cdk.hosting
dn: uid=root,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: root
sn: root
objectClass: inetOrgPerson
userPassword:: cEBzc3cwcmQ=
uid: root
# search result
search: 3
result: 0 Success
# numResponses: 10
#
Any help much appreciated - thanks a lot.
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahomailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedoraho
sted.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedora
ho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
--
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system.
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedoraho
st
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahost
ed.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, Jan 27, 2016 at 10:22:48AM +0000, Murdoch, Steven wrote:
Hi Sumit, … forgot to mention my ldap password for the user I believe to be correct.
These are the last 4 lines in the /var/log/secure on my client SSSD machine:
SSSD logs would be more useful here, especially sssd_pam and the domain logs. As a guess, SSSD does the LDAP bind for authentication only on a encrypted connection, i.e your LDAP server must support StarTLS which requires a valid certificate for the server and the CA certificate installed on the server and the SSSD client.
HTH
bye, Sumit
Jan 27 10:07:20 SSSD-VM-Test sshd[2240]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.241.50 user=smurdoch Jan 27 10:07:21 SSSD-VM-Test sshd[2240]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=172.31.241.50 user=smurdoch Jan 27 10:07:21 SSSD-VM-Test sshd[2240]: pam_sss(sshd:auth): received for user smurdoch: 9 (Authentication service cannot retrieve authentication info) Jan 27 10:07:23 SSSD-VM-Test sshd[2240]: Failed password for smurdoch from 172.31.241.50 port 52391
…thanks again Steve..
From: Murdoch, Steve Sent: 27 January 2016 10:16 To: sssd-users@lists.fedorahosted.org Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
Hi Sumit,
I am making progress - both # getent -s sss passwd and getent group now work. I can also su - ldapuser and I get a shell in the correct $HOME on the ldap server.
But I still cannot login to the SSSD Client as an ldap user!
My /var/log/secure log last line is this:
SSSD-VM-Test sshd[2240]: Failed password for sxxxxxx from IP port 52391
...any ideas - I must be close!
Thanks
Steve..
-----Original Message----- From: Sumit Bose [mailto:sbose@redhat.com] Sent: 27 January 2016 08:50 To: sssd-users@lists.fedorahosted.orgmailto:sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7
On Tue, Jan 26, 2016 at 03:08:19PM +0000, Murdoch, Steven wrote:
Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # getent group – which does not work). Getent passwd now works ok.
Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:15 2016)
[sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for
domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_issue_request] (0x0400): Issuing request for
[0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]]
[sss_dp_get_account_msg] (0x0400): Creating request for [vmlab][4098][1][*] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0400): Requesting info for domain [vmlab] (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_setgrent_step] (0x0100): Domain [vmlab] has no groups, skipping.
(Tue Jan 26 14:51:15 2016) [sssd[nss]] [sss_dp_req_destructor]
(0x0400): Deleting request: [0x41c240:2:*@vmlab] (Tue Jan 26 14:51:15
- [sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:15 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client connected!
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1].
(Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_setgrent_send]
(0x0100): Received setgrent request (Tue Jan 26 14:51:17 2016)
[sssd[nss]] [nss_cmd_getgrent] (0x0100): Requesting info for all
groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [nss_cmd_endgrent] (0x0100): Terminating request info for all groups (Tue Jan 26 14:51:17 2016) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
…I have a feeling my groups setup is not correct !
yes, as mentioned earlier groups need the objectclass posixGroup to have a gidNumber attribute.
Please note that if you use the member attribute with the DNs of the members you have to set 'ldap_schema=rfc2307bis' (see man sssd-ldap for details).
HTH
bye,
Sumit
# Platform, Users, vmlab.ari.cdk.hosting
dn: cn=Platform,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Platform
objectClass: groupOfNames
member: cn=Bob Jones,cn=Steve xxxxxx,cn=Tom xxxxxxx,cn=Max
xxxxxxx,ou=Users ,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Rod xxxxxt,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Steve xxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
member: cn=Tom xxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..or is it something else?
When I try and login via the client (SSSD VM) I get access denied.
Thanks again.
From: Murdoch, Steve
Sent: 26 January 2016 13:37
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit - The good news is - # getent passwd is now working - I can see all my LDAP users:
.....
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
mxxxxxx:*:502:502:Max xxxxxx:/home/max:
txxxxxx:*:501:501:Tom xxxxxx:/home/tom:
sxxxxxx:*:505:100:Steve xxxxxx:/home/sxxxxxx:
Manager:*:503:503:Manager:/home/Manager:
mxxxxxx:*:504:100:Mike xxxxxx:/home/mxxxxxx:
bjones:*:506:100:Bob Jones:/home/bjones:
admin:*:507:100:admin:/home/admin:
[root@SSSD-VM-Test db]#
.. the bad news is # getent group is not working and therefore (I am assuming) I cannot login on the client and get authorised via SSSD to the LDAP server.
I have added a group - this is what I added:
# groups, vmlab.ari.cdk.hosting
dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting
objectClass: organizationalUnit
ou: groups
description: generic groups branch
..is this ok - or do I need to add more lines?
Many thanks for your help.
-----Original Message-----
From: Murdoch, Steve
Sent: 26 January 2016 10:58
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
The Primary group 100 exists on the LDAP Server and on the SSSD Client - but the users only exist on the LDAP server (no users added to SSSD).
Sorry, I am not clear what you mean:
you have to add the primary group with GID 100 on the LDAP server as
well
Attached are the nss and domain logs on the SSSD Client as requested.
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 17:24
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostedmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahosted
.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 03:55:45PM +0000, Murdoch, Steven wrote:
Hi Sumit,
I think I have managed to add in the posixAccount to a user - when I ldapsearch from the client - I get this info for this user:
# mxxxxxx, Users, vmlab.ari.cdk.hosting
dn: uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
cn: Mike xxxxxx
sn: xxxxxx
objectClass: inetOrgPerson
objectClass: posixAccount
userPassword:: cEBzc3cwcmQ=
uid: mxxxxxx
uidNumber: 504
gidNumber: 100
homeDirectory: /home/mxxxxxx
..I then tried getent passwd - but same as before I only get local users !
Is there something else that needs a tweak to allow 'getent passwd' to show the ldap users?
you have to add the primary group with GID 100 on the LDAP server as well. If this still does not work please attach the nss and domain logs (see https://fedorahosted.org/sssd/wiki/Troubleshooting for details).
bye,
Sumit
Thanks a lot.
-----Original Message-----
From: Murdoch, Steve
Sent: 25 January 2016 14:55
To: 'End-user discussions about the System Security Services Daemon'
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client & Server CentOS6.7
Hi Sumit,
Thanks for your help - I am trying to ldapmodify - added these lines to mike.ldif:
dn: uid=mxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
changetype: modify
replace: objectClass
objectClass: posixAccount
uidNumber: 504
userPassword: p@ssw0rd
cn: Mike
sn: xxxxxxx
gidNumber: 100
homeDirectory: /home/mxxxxxx
I used only the first 4 lines - but it complained that I need a uidNumber - so I added in line 5, but then I get this:
ldapmodify: wrong attributeType at line 5, entry "uid=mxxxxxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
...what am I doing wrong?
Thanks
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 25 January 2016 13:57
To:
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahostmailto:sssd-users@lists.fedorahosted.org%3cmailto:sssd-users@lists.fedorahost
ed.org>
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both
Client
& Server CentOS6.7
On Mon, Jan 25, 2016 at 01:15:46PM -0000, steven.murdoch@cdk.com<mailto:steven.murdoch@cdk.commailto:steven.murdoch@cdk.com%3cmailto:steven.murdoch@cdk.com> wrote:
Hi - I am new to SSSD and LDAP, and my first posting - so please bare with me.
# getent passwd only displays the local users - will not display
the
LDAP users and is driving me insane - ldapsearch seems to work I
am
using SSSD with TLS to authenticate to LDAP Server The CA.crt files were self signed certificates.
I used # cacertdir_rehash to create to create the sym-link to the
CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'
My SSSD Client hostname is 'SSSD-VM-Test'
Here are my files:
Server - /etc/openldap/slapd.conf:
allow bind_v2
allow bind_anon_dn
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt TLSCertificateFile
/etc/openldap/cacerts/server.crt TLSCertificateKeyFile
/etc/openldap/cacerts/server.key TLSCipherSuite HIGH:MEDIUM:+TLSv1
TLSVerifyClient never access to
dn.sub="dc=vmlab,dc=ari,dc=cdk,dc=hosting"
by anonymous read
by * read
access to dn.base=""
by anonymous none
by * read
database config
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
database monitor
access to *
by
dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
read
by * none
access to * by users read
database bdb
suffix "dc=vmlab,dc=ari,dc=cdk,dc=hosting"
checkpoint 1024 15
rootdn "cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting"
rootpw p@ssw0rd
loglevel 256
sizelimit unlimited
#
Server - ldap.conf:
TIMELIMIT 120
ssl start_tls
URI ldap://ActDir-VM-Test:389/
BASE cn=Manager,dc=vmlab,dc=ari,dc=cdk,dc=hosting
TLS_REQCERT allow
TLSCACertificatePath /etc/openldap/cacerts TLSCACertificateFile
/etc/openldap/cacerts/CA.crt #
Server - /etc/sysconfig/ldap:
SLAPD_LDAP=yes
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=no
# Run slapd with -h "... ldaps:/// ..."
# yes/no, default: no
SLAPD_LDAPS=no
#
Server - /etc/pam.d/password-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server: - /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
#
Server - /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
#
Client - /etc/sssd/sssd.conf: