Fedora 14: GDM, sssd and LDAP authentication

Bernd Nies bernd.nies at gmail.com
Wed Nov 10 07:44:00 UTC 2010 

Hi,

I'm trying to get the GDM login manager to work with sssd and LDAP
authentication. So far one can login with ssh, getent passwd shows all LDAP
users and su - also works. But GDM says "Authentication failure". I searched
Google for this but did not found something useful or just for old Fedora
releases or without the new fancy sssd. The kickstart "authconfig" command
or the GUI "system-config-authentication" did not produce any config that
worked. We are using Sun sirectory server.

I also noticed that there are lot of places where to configugure LDAP client
config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf, /etc/sysconfig/autofs.
The packages pam_ldap and nss_ldap are missing on the Fedora 14 DVD. Also
the autofs package is missing on the DVD.

How can one get the graphical login manager to work with LDAP authentication
via sssd?

My config:


/etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss


/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true

/etc/pam.d/gdm

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_succeed_if.so user != root quiet
auth       required    pam_env.so
auth       substack    system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so auto_start
session    include     system-auth

/etc/pam.d/gdm-password

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20101110/2139e5fb/attachment.html

More information about the users mailing list