On Tue, Dec 06, 2016 at 01:15:18PM +0100, Johan Kragsterman wrote:
Hi!
As an LDAP newbie(but not a UNIX newbie) I try to setup a test environment.
I use OpenDJ from Forgerock, and sssd on Ubuntu 16.10. System info further down.
I think I got a working server setup, I got a test user "sven" that I can find
with various methods like:
sudo ldapsearch -xv -h ldap -LLL -b "dc=hemma,dc=home" uid=sven
ldap_initialize( ldap://ldap )
filter: uid=sven
requesting: All userApplication attributes
dn: uid=sven,ou=People,dc=hemma,dc=home
objectClass: person
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: top
gidNumber: 1003
uid: sven
sn: Persson
cn: SvenP
initials: SPE
description: This is the description for Sven Persson, test user
givenName: Sven
homeDirectory: /mnt/nfs/home/sven
uidNumber: 1003
or:
id sven
uid=1003(sven) gid=1003(sven) groups=1003(sven)
or:
getent passwd sven
sven:*:1003:1003:SvenP:/mnt/nfs/home/sven:
or:
getent group sven
sven:*:1003:sven
BUT!
NOT with getent shadow.
We don't implement the shadow map. Users log in by binding to the remote
directory.
and:
I can't login, not on the workstation, nor with ssh or su user.
I got a strong feeling it is PAM...
Here are some lines from /var/log/auth.log when I tried su user:
Dec 6 11:29:34 GX620 su[2069]: pam_unix(su:auth): authentication failure; logname=bo
uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven
Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): authentication failure; logname=bo
uid=1000 euid=0 tty=/dev/pts/1 ruser=bo rhost= user=sven
Dec 6 11:29:34 GX620 su[2069]: pam_sss(su:auth): received for user sven: 6 (Permission
denied)
Please provide sssd logs:
https://fedorahosted.org/sssd/wiki/Troubleshooting
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: reconnecting to LDAP server...
Dec 6 11:29:34 GX620 su[2069]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Dec 6 11:29:36 GX620 su[2069]: pam_authenticate: Authentication failure
Dec 6 11:29:36 GX620 su[2069]: FAILED su for sven by bo
I would recommend against using pam_ldap and pam_sss together.
System information:
System: Ubuntu 16.10
sssd version: 1.13.4
LDAP server OpenDJ 3.0
sssd.conf:
~$ sudo cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam
domain = HEMMA.HOME
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/HEMMA.HOME]
autofs_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=hemma,dc=home
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_tls_reqcert = never
ldap_uri = ldap://ldap:389
ldap_id_use_start_tls = False
cache_credentials = True
enumerate = True
Depending on your directory size, enumerate=true is not a good choice.
Please revert the setting at least for debugging the issue (examining the
logs with enumerate=true is much harder than without)