On Fri, Sep 16, 2016 at 04:01:09PM +0200, Bernd Leibing wrote: > I'm using sssd 1.13.3 and try to configure sssd for nss and pam both against > our > openldap server. Nss seems to work but pam doesn't. > > > # getent passwd timap > timap:*:41848:400:Test Imap:/users/org1/timap:/usr/local/bin/bash > > but login of the timap user fails: > > syslog output: > login[2315]: pam_sss(login:auth): authentication failure; logname=LOGIN > uid=0 euid=0 tty=tty1 ruser= rhost= user=timap > login[2315]: pam_sss(login:auth): received for user timap: 7 (Authentication > failure) > login[2315]: FAILED LOGIN 1 FROM tty1 FOR timap, Authentication failure > > > Maybe we have an unusal ldap server setup. There is a privileged DN > cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de > to access all posixAccount objects. > > a user Account has this attributes: > > # ldapsearch -x -w secret -D "cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de" > '(&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))' > # extended LDIF > # > # LDAPv3 > # base <ou=people,dc=myorg,dc=de> (default) with scope subtree > # filter: > (&(uid=timap)(objectclass=posixAccount)(&(uidNumber=*)(!(uidNumber=0)))) > # requesting: ALL > # > > # timap, people, myorg.de > dn: uid=timap,ou=people,dc=myorg,dc=de > userPassword:: e0NSWVBUfSQ2JDV5N1B5RC84N3pRY2VmZlgkMk1LQjAxc1pFNzBzYXFsOUhZNWo > 3WFhJSVZXOWMuTHdOZEZpMzV5UVpzYlN0ZGpLVDVhdVdKeWRlcVdBSDMySmhwanZMNGJkZnVhYXMy > SVFxVG41Yi8= > cn: timap > gecos: Test Imap > gidNumber: 400 > homeDirectory: /users/org1/timap > loginShell: /usr/local/bin/bash > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > uid: timap > uidNumber: 41848 > > > > > My configuration is > > --------/etc/sssd/sssd.conf------------------- > [sssd] > config_file_version = 2 > services = nss,pam > domains = LDAP > > [nss] > filter_groups = root > filter_users = root > > [pam] > pam_verbosity = 3 > > [domain/LDAP] > debug_level = 0xFFF0 > ldap_uri = ldaps://ldapserver.myorg.de > ldap_search_base = dc=myorg,dc=de > ldap_schema = rfc2307 > id_provider = ldap > ldap_id_use_start_tls = True > enumerate = False > cache_credentials = True > chpass_provider = ldap > auth_provider = ldap > ldap_tls_cacertdir = /var/ldap > ldap_tls_cacert = /var/ldap/certdb.pem > ldap_tls_reqcert = demand > ldap_default_bind_dn = cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de > ldap_default_authtok_type = password > ldap_default_authtok = secret > --------------------------------------- > > --------/etc/nsswitch.conf------------- > passwd: files sss > group: files sss > shadow: files sss > > hosts: files dns > --------------------------------------- > > > > Excerpt of sssd_LDAP.log: > [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Success(0), no > errmsg set > [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: > cn=roadmin,ou=people,ou=admin,dc=myorg,dc=de > [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server > 'ldapserver.myorg.de' as 'working' > [sssd[be[LDAP]]] [be_get_account_info] (0x0200): Got request for > [0x1001][FAST BE_REQ_USER][1][name=timap] > [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from > [LDAP] to [LDAP] > [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection > [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users > with base [dc=myorg,dc=de] > [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching xxx.xxx.xxx.xxx > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling > ldap_search_ext with > [(&(uid=timap)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=myorg,dc=de]. > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [objectClass] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uid] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [userPassword] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [uidNumber] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [gidNumber] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [gecos] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [homeDirectory] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [loginShell] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: > [krbPrincipalName] > [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn] > [sssd[be[LDAP]]] [sdap_parse_entry] (0x1000): OriginalDN: > [uid=timap,ou=people,dc=myorg,dc=de]. > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [userPassword] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [cn] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [gecos] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [gidNumber] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [homeDirectory] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [loginShell] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [objectClass] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for [uid] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [uidNumber] > [sssd[be[LDAP]]] [sdap_parse_range] (0x2000): No sub-attributes for > [modifyTimestamp] > [sssd[be[LDAP]]] [sdap_save_user] (0x2000): Adding originalDN > [uid=timap,ou=people,dc=myorg,dc=de] to attributes of [timap]. > [sssd[be[LDAP]]] [sdap_save_user] (0x0400): Storing info for user timap > > So far this looks good. nss is working, but the pam request not! > Pam is using an additional simple_bind as > uid=timap,ou=people,dc=myorg,dc=de > instead of directly authenticating against the hash of the timap > userPassword attribute we already got from the ldap request above
binding as 'self' is the only supported LDP authentication method in SSSD, sorry. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org