On Mon, Jul 28, 2014 at 05:32:40PM +0000, Sterling Sahaydak wrote:
> Running CentOS 6.5 sssd 1.9.2 in a test environment and trying to
> authenticate user: testjoe to ssh to server ldap01.something.net
> running openldap on ldap01.something.net and trying to authenticate to it.
>
>
> [root@testmachine sssd]# cat sssd.conf
> [domain/default]
> ldap_id_use_start_tls = True
> cache_credentials = True
> ldap_search_base = dc=something,dc=net
> id_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> ldap_uri = ldaps://ldap01.something.net
> ldap_tls_cacertdir = /etc/openldap/certs
>
> [sssd]
> config_file_version = 2
> services = nss, pam, sudo
> domains = default, LDAP
>
> [nss]
> filter_users = root
> filter_groups = root
>
> [pam]
Can you also inlude debugging from the pam responder?
>
> [sudo]
>
> [domain/LDAP]
> access_provider = ldap
> auth_provider = ldap
> chpass_provider = ldap
> id_provider = ldap
> sudo_provider = ldap
> debug_level = 7
> cache_credentials = true
> enumerate = true
I would suggest to not use enumerate=true unless some legacy application
needs that.
>
> ldap_access_filter = cn=allowedusers,ou=Groups,dc=something,dc=net
> ldap_search_base = dc=something,dc=net
> ldap_sudo_search_base = ou=sudoers,dc=something,dc=net
> ldap_tls_cacert = /etc/openldap/certs/cacert.pem
> ldap_tls_reqcert = allow
> ldap_uri = ldaps://ldap01.something.net
Why do you have two domains defined with the same server but access
control defined only in the first one.
>
>
>
> [root@testmachine pam.d]# cat password-auth
[...]
The PAM config looks OK to me, although you might want to re-run
# authconfig --enablesssdauth --enablesssd --update
to make sure.
Did you include 'sss' to /etc/nsswitch.conf?
Are the LDAP users resolvable with getent passwd $username?
What does /var/log/secure say when you attempt to authenticate?
>
>
>
>
> (Mon Jul 28 13:06:43 2014) [sssd[be[LDAP]]] [fo_resolve_service_send]
> (0x0100): Trying to resolve service 'LDAP'
[...]
This log doesn't contain an authentication attempt, only enumerating
users, groups, services and sudo rules.
_______________________________________________
sssd-devel mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel