x11/xdm with PAM and security/sssd2: not working

[A FreeBSD User]

Hello,

fighting a major problem here. Running recent CURRENT and 15-STABLE here. 
Recently we switched
from 
net/nss-pam-ldapd
to
security/sssd2 (with net/samba423).

I've
used https://wiki.freebsd.org/KubilayKocak/SystemSecurityServicesDaemon as a 
basis for further steps.

User backend is 
net/openldap26-server
using ppolicy Overlay. For the record: the LDAP DIT has been migrated from 2.4 
to 2.6 a couple
of years ago (successfuly).

Adjusting FreeBSD's PAM config for "other", "system", "sshd" worked well for 
sshd and
system/login so far (see below for more info). When login via sshd for LDAP 
backed users,
everything runs smooth (no dubios messages about expired passwords or similar). 
Local (console)
login for those users also works as expected without further icident or report 
of expired
passwords.

When it comes to X11/xdm on local machines using GUI/X11/xdm, login fails for 
LDAP backed
users. 
FreeBSD's /var/log/auth.log reports:
Mar 22 14:17:41 <10.5> myhost xdm[7440]: LOGIN FAILURE ON :0, username

The LDAP objects (users) do not have shadowAccount objectclass, not attributes 
(I deleted
those, with or without it doesn't change anything)

It drives me nuts, spent two days figuring out what's going to be missed by 
xdm, but I
couldn't find anything suitable. Maybe someone has already solved a similar 
problem ...


/etc/nsswitch.conf has been adapted approprietely, i.e.
[...]
passwd: files sss ldap

(I'm using a hybrid solution for now to serve xdm with the old nslcd)




In the config shown below with module account the term "optional|sufficient" 
means: I use
either or - only one - not both.


[... /etc/pam.d/xdm ...]
#
#
# PAM configuration for the "xdm" service
#

# auth
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
#auth            sufficient      /usr/local/lib/pam_ldap.so
auth           sufficient      /usr/local/lib/pam_sss.so       forward_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
#account         optional        /usr/local/lib/pam_ldap.so
account                optional|sufficient      /usr/local/lib/pam_sss.so \
        ignore_authinfo_unavail ignore_unknown_user 
account         required        pam_unix.so

# session
#session        required        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail
session         required        pam_xdg.so

# password
password        required        pam_deny.so




-- 

A FreeBSD user

pgpsKGjnbBro6.pgp
Description: OpenPGP digital signature