Fedora 14: GDM, sssd and LDAP authentication

fedora fedora at ayni.com
Wed Nov 10 12:40:43 UTC 2010


The following sssd.conf and pam.d/gdm and pam.d/gdm-password work here 
on fedora 13.
With quite a bit of debuggind i found out that for sssd you have to 
specify all bases in the sssd.conf.
i have not been able to make sssd run with TLS.

[root at myws ~]# cat /etc/sssd/sssd.conf
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# if a backend is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# domains = LOCAL,LDAP
# SSSD will not start if you don't configure any domain.
# Add new domains condifgurations as [domain/<NAME>] sections.
# Then add the list of domains (in the order you want them to be
# queried in the 'domains" attribute above and uncomment it

domains = LDAP
# the following prevents sssd for searching for the root user/group in
# all domains (you can add here a comma separated list of system 
accounts are
# always going to be /etc/passwd users, or that you want to filter out)
filter_groups = root
filter_users = root
reconnection_retries = 3

# The EntryCacheTimeout indicates the number of seconds to retain before
# an entry in cache is considered stale and must block to refresh.
# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full EntryCacheTimeout). Setting this
# value to 0 turns this feature off (default)
# entry_cache_timeout = 600
# entry_cache_nowait_timeout = 300

reconnection_retries = 3

# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visibile in 
/etc/passwd, it
# now contains only root and system accounts.
# [domain/LOCAL]
# description = LOCAL Users domain
# id_provider = local
# enumerate = true
# min_id = 500
# max_id = 999

# Example native LDAP domain
min_id = 50
ldap_tls_reqcert = never
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldapadmin.mydomain.com/
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com
ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_authtok = ****
# ldap_tls_reqcert = demand
#cache_credentials = true
enumerate = true

# Example LDAP domain where the LDAP server is an Active Directory server.

# [domain/AD]
# description = LDAP domain with AD server
# enumerate = false
# min_id = 1000
# id_provider = ldap
# auth_provider = ldap
# ldap_uri = ldap://your.ad.server.com <br /> # ldap_schema = rfc2307bis
# ldap_user_search_base = cn=users,dc=example,dc=com
# ldap_group_search_base = cn=users,dc=example,dc=com
# ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
# ldap_default_authtok_type = password
# ldap_default_authtok = YOUR_PASSWORD
# ldap_user_object_class = person
# ldap_user_name = msSFU30Name
# ldap_user_uid_number = msSFU30UidNumber
# ldap_user_gid_number = msSFU30GidNumber
# ldap_user_home_directory = msSFU30HomeDirectory
# ldap_user_shell = msSFU30LoginShell
# ldap_user_principal = userPrincipalName
# ldap_group_object_class = group
# ldap_group_name = msSFU30Name
# ldap_group_gid_number = msSFU30GidNumber
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
krb5_realm = EXAMPLE.COM
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
debug_level = 0
min_id = 500
ldap_uri = ldap://ldap.mydomain.com
krb5_kdcip = kerberos.example.com
ldap_default_authtok = ****
ldap_tls_cacertdir = /etc/openldap/cacerts

[root at myws ~]#

[root at myws ~]# cat /etc/pam.d/gdm
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
#auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth
[root at myws ~]#

[root at myws ~]# cat /etc/pam.d/gdm-password
auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
#auth required pam_succeed_if.so user != root quiet
auth optional pam_gnome_keyring.so

account required pam_nologin.so
account include password-auth

password include password-auth

session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include password-auth
[root at myws ~]#


On 2010-11-10 13:15, Bernd Nies wrote:
> Hi Stephen,
> Thanks for your reply. I tried to configure it with
> system-config-authentication (the same as authconfig-gtk) before but
> that tool did not generate a useable output. I adjusted sssd.conf
> manually afterwards and got "getent passwd" and ssh login to work. The
> two pam files you mentioned are shown below. Both include pam_sss.so in
> the authentication stack.
> Bye
> Bernd
> /etc/pam.d/password-auth
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so
> cat /etc/pam.d/system-auth
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_sss.so use_first_pass
> auth        required      pam_deny.so
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
> account     required      pam_permit.so
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_sss.so use_authtok
> password    required      pam_deny.so
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> -session     optional      pam_systemd.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_sss.so

More information about the users mailing list