Fedora 14: GDM, sssd and LDAP authentication
Bernd Nies
bernd.nies at gmail.com
Wed Nov 10 07:44:00 UTC 2010
Hi,
I'm trying to get the GDM login manager to work with sssd and LDAP
authentication. So far one can login with ssh, getent passwd shows all LDAP
users and su - also works. But GDM says "Authentication failure". I searched
Google for this but did not found something useful or just for old Fedora
releases or without the new fancy sssd. The kickstart "authconfig" command
or the GUI "system-config-authentication" did not produce any config that
worked. We are using Sun sirectory server.
I also noticed that there are lot of places where to configugure LDAP client
config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf, /etc/sysconfig/autofs.
The packages pam_ldap and nss_ldap are missing on the Fedora 14 DVD. Also
the autofs package is missing on the DVD.
How can one get the graphical login manager to work with LDAP authentication
via sssd?
My config:
/etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true
/etc/pam.d/gdm
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
/etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth required pam_succeed_if.so user != root quiet
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include password-auth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20101110/2139e5fb/attachment.html
More information about the users
mailing list