Fedora 14: GDM, sssd and LDAP authentication
Stephen Gallagher
sgallagh at redhat.com
Wed Nov 10 11:47:11 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/10/2010 02:44 AM, Bernd Nies wrote:
> Hi,
>
> I'm trying to get the GDM login manager to work with sssd and LDAP
> authentication. So far one can login with ssh, getent passwd shows all
> LDAP users and su - also works. But GDM says "Authentication failure". I
> searched Google for this but did not found something useful or just for
> old Fedora releases or without the new fancy sssd. The kickstart
> "authconfig" command or the GUI "system-config-authentication" did not
> produce any config that worked. We are using Sun sirectory server.
>
> I also noticed that there are lot of places where to configugure LDAP
> client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf,
> /etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on
> the Fedora 14 DVD. Also the autofs package is missing on the DVD.
>
> How can one get the graphical login manager to work with LDAP
> authentication via sssd?
>
> My config:
>
>
> /etc/nsswitch.conf
>
> passwd: files sss
> shadow: files sss
> group: files sss
>
>
> /etc/sssd/sssd.conf
>
> [sssd]
> config_file_version = 2
> debug_level = 10
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = LOCAL,LDAP
>
> [nss]
> filter_groups = root
> filter_users = root
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/LOCAL]
> description = LOCAL Users domain
> id_provider = local
> enumerate = true
> min_id = 500
> max_id = 999
>
> [domain/LDAP]
> id_provider = ldap
> auth_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldap://ldap.example.com <http://ldap.example.com>
> ldap_search_base = dc=example,dc=com
> ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
> ldap_default_authtok_type = password
> ldap_default_authtok = mypassword
> ldap_user_search_base = ou=people,dc=example,dc=com
> ldap_group_search_base = ou=group,dc=example,dc=com
> ldap_tls_reqcert = never
> cache_credentials = true
> enumerate = true
>
> /etc/pam.d/gdm
>
> auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
> auth required pam_succeed_if.so user != root quiet
> auth required pam_env.so
> auth substack system-auth
> auth optional pam_gnome_keyring.so
> account required pam_nologin.so
> account include system-auth
> password include system-auth
> session required pam_selinux.so close
> session required pam_loginuid.so
> session optional pam_console.so
> session required pam_selinux.so open
> session optional pam_keyinit.so force revoke
> session required pam_namespace.so
> session optional pam_gnome_keyring.so auto_start
> session include system-auth
>
> /etc/pam.d/gdm-password
>
> auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
> auth substack password-auth
> auth required pam_succeed_if.so user != root quiet
> auth optional pam_gnome_keyring.so
>
> account required pam_nologin.so
> account include password-auth
>
> password include password-auth
>
> session required pam_selinux.so close
> session required pam_loginuid.so
> session optional pam_console.so
> session required pam_selinux.so open
> session optional pam_keyinit.so force revoke
> session required pam_namespace.so
> session optional pam_gnome_keyring.so auto_start
> session include password-auth
>
>
Check out your /etc/pam.d/password-auth and compare it to
/etc/pam.d/system-auth.
Most services rely on system-auth (which is why everything but GDM is
working) but GDM's multiple authentication stack approach requires that
password-auth also be updated to use pam_sss.so.
Alternately, you could run the authconfig-gtk UI and set up LDAP there
(which will handle all of the PAM setup) and then manually edit
sssd.conf to make the tweaks you want.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkzahjoACgkQeiVVYja6o6M0QQCeLqHvlEykBpe1rDyyvPtvzcR/
jFoAmwRMEzm9WsPW9f59lO0rxbIjQER9
=l38W
-----END PGP SIGNATURE-----
More information about the users
mailing list