On Sun, Mar 13, 2016 at 04:03:50PM -0400, Cyril Scetbon wrote:
I've never said that mixing both was the best option. It's
just easier for me cause pam_ldap is already used and if I can avoid to change the current
configuration I'll be glad.
If you're already running SSSD in your environment, then I don't see a
reason to not go all in..I mean, the deamon would already be up and
you'd actually centralize the configuration in one config file
(sssd.conf) instead of a combination of sssd.conf + pam_ldap.conf.
I don't see any message in the log.
Not even in the secure log? If that's the case then pam_sss is not being
contacted at all (if pam_sss is set up and not pam_ldap).
If you configured pam_sss in the pam stack but you're not seeing any
messages by pam_sss in the secure log or journal then chances are then
the pam_sss module is not being contacted at all (and another module
might abort the PAM conversation sooner..)
In my case, I don't need to access other information but the login (uses
by a database that can use pam for authentication and all permissions are
set at the database level). What is the option to not contact the server
even for the group information if there is one ?
I'm sorry, but I don't understand what do you mean by "even for the group