Re: Fedora 14: GDM, sssd and LDAP authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2010 02:44 AM, Bernd Nies wrote:
Hi,

I'm trying to get the GDM login manager to work with sssd and LDAP
authentication. So far one can login with ssh, getent passwd shows all
LDAP users and su - also works. But GDM says "Authentication failure". I
searched Google for this but did not found something useful or just for
old Fedora releases or without the new fancy sssd. The kickstart
"authconfig" command or the GUI "system-config-authentication" did not
produce any config that worked. We are using Sun sirectory server.

I also noticed that there are lot of places where to configugure LDAP
client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf,
/etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on
the Fedora 14 DVD. Also the autofs package is missing on the DVD.

How can one get the graphical login manager to work with LDAP
authentication via sssd?

My config:


/etc/nsswitch.conf

passwd: files sss
shadow: files sss
group: files sss


/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com <http://ldap.example.com>
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true

/etc/pam.d/gdm

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth required pam_succeed_if.so user != root quiet
auth required pam_env.so
auth substack system-auth
auth optional pam_gnome_keyring.so
account required pam_nologin.so
account include system-auth
password include system-auth
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include system-auth

/etc/pam.d/gdm-password

auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth substack password-auth
auth required pam_succeed_if.so user != root quiet
auth optional pam_gnome_keyring.so

account required pam_nologin.so
account include password-auth

password include password-auth

session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
session required pam_selinux.so open
session optional pam_keyinit.so force revoke
session required pam_namespace.so
session optional pam_gnome_keyring.so auto_start
session include password-auth




Check out your /etc/pam.d/password-auth and compare it to
/etc/pam.d/system-auth.

Most services rely on system-auth (which is why everything but GDM is
working) but GDM's multiple authentication stack approach requires that
password-auth also be updated to use pam_sss.so.

Alternately, you could run the authconfig-gtk UI and set up LDAP there
(which will handle all of the PAM setup) and then manually edit
sssd.conf to make the tweaks you want.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzahjoACgkQeiVVYja6o6M0QQCeLqHvlEykBpe1rDyyvPtvzcR/
jFoAmwRMEzm9WsPW9f59lO0rxbIjQER9
=l38W
-----END PGP SIGNATURE-----
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

Relevant Pages

  • Fedora 14: GDM, sssd and LDAP authentication
    ... I'm trying to get the GDM login manager to work with sssd and LDAP ... But GDM says "Authentication failure". ... password include password-auth ...
    (Fedora)
  • Re: Directory Services, LDAP or similar
    ... In other projects, we managed the user authentication by creating tables that define all users and its allowed capacities, then the application queryies that data to verify if a user has access to some feature or not. ... The above ID and password are sent to the service at login time. ... They are using Novell eDirectory at the enterprise level; yes it's LDAP. ... We already do that for three different DB servers; ...
    (borland.public.delphi.non-technical)
  • Re: noob on slapd with sasl errors
    ... If I may share advice based on my own trials & tribulations with LDAP ... people who need network authentication and the current state of ... context of network authentication, LDAP really is just a protocol used ... I have no idea how sasl works and why it is needed here, or even more, ...
    (Ubuntu)
  • Re: Directory Services, LDAP or similar
    ... we managed the user authentication by creating tables ... The above ID and password are sent to the service at login ... Novell eDirectory at the enterprise level; yes it's LDAP. ... servers; ...
    (borland.public.delphi.non-technical)
  • No more logins after upgrade to deb 5.0
    ... After upgrading from Debian 4.x to 5.x without any further configuration attempts my LDAP Authentication configuration fails. ... If an LDAP Administrator resets that users password and/or as long their ldap password is not expired the user can login anywhere just fine. ...
    (Debian-User)