Fedora 14: GDM, sssd and LDAP authentication

Stephen Gallagher sgallagh at redhat.com
Wed Nov 10 11:47:11 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2010 02:44 AM, Bernd Nies wrote:
> Hi,
> 
> I'm trying to get the GDM login manager to work with sssd and LDAP
> authentication. So far one can login with ssh, getent passwd shows all
> LDAP users and su - also works. But GDM says "Authentication failure". I
> searched Google for this but did not found something useful or just for
> old Fedora releases or without the new fancy sssd. The kickstart
> "authconfig" command or the GUI "system-config-authentication" did not
> produce any config that worked. We are using Sun sirectory server.
> 
> I also noticed that there are lot of places where to configugure LDAP
> client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf,
> /etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on
> the Fedora 14 DVD. Also the autofs package is missing on the DVD.
> 
> How can one get the graphical login manager to work with LDAP
> authentication via sssd?
> 
> My config:
> 
> 
> /etc/nsswitch.conf
> 
> passwd:     files sss
> shadow:     files sss
> group:      files sss
> 
> 
> /etc/sssd/sssd.conf
> 
> [sssd]
> config_file_version = 2
> debug_level = 10
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = LOCAL,LDAP
> 
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
> 
> [pam]
> reconnection_retries = 3
> 
> [domain/LOCAL]
> description = LOCAL Users domain
> id_provider = local
> enumerate = true
> min_id = 500
> max_id = 999
> 
> [domain/LDAP]
> id_provider = ldap
> auth_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldap://ldap.example.com <http://ldap.example.com>
> ldap_search_base = dc=example,dc=com
> ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
> ldap_default_authtok_type = password
> ldap_default_authtok = mypassword
> ldap_user_search_base = ou=people,dc=example,dc=com
> ldap_group_search_base = ou=group,dc=example,dc=com
> ldap_tls_reqcert = never
> cache_credentials = true
> enumerate = true
> 
> /etc/pam.d/gdm
> 
> auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
> auth       required    pam_succeed_if.so user != root quiet
> auth       required    pam_env.so
> auth       substack    system-auth
> auth       optional    pam_gnome_keyring.so
> account    required    pam_nologin.so
> account    include     system-auth
> password   include     system-auth
> session    required    pam_selinux.so close
> session    required    pam_loginuid.so
> session    optional    pam_console.so
> session    required    pam_selinux.so open
> session    optional    pam_keyinit.so force revoke
> session    required    pam_namespace.so
> session    optional    pam_gnome_keyring.so auto_start
> session    include     system-auth
> 
> /etc/pam.d/gdm-password
>  
> auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
> auth        substack      password-auth
> auth        required      pam_succeed_if.so user != root quiet
> auth        optional      pam_gnome_keyring.so
> 
> account     required      pam_nologin.so
> account     include       password-auth
> 
> password    include       password-auth
> 
> session     required      pam_selinux.so close
> session     required      pam_loginuid.so
> session     optional      pam_console.so
> session     required      pam_selinux.so open
> session     optional      pam_keyinit.so force revoke
> session     required      pam_namespace.so
> session     optional      pam_gnome_keyring.so auto_start
> session     include       password-auth
> 
> 


Check out your /etc/pam.d/password-auth and compare it to
/etc/pam.d/system-auth.

Most services rely on system-auth (which is why everything but GDM is
working) but GDM's multiple authentication stack approach requires that
password-auth also be updated to use pam_sss.so.

Alternately, you could run the authconfig-gtk UI and set up LDAP there
(which will handle all of the PAM setup) and then manually edit
sssd.conf to make the tweaks you want.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzahjoACgkQeiVVYja6o6M0QQCeLqHvlEykBpe1rDyyvPtvzcR/
jFoAmwRMEzm9WsPW9f59lO0rxbIjQER9
=l38W
-----END PGP SIGNATURE-----


More information about the users mailing list