Redhat Enterprise Linux 6.3 Probelm with SSSD LDAP Authentication

Latest response

Respected Sir

I have openldap server on RHEL6.3

base dn = dc=njgroup,dc=in

user group = ou=employee,dc=njgroup,dc=in (testing with one of the user name "niraj" member of employee group)

server group = cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in

 

i want the only member of cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in can able to login from my remote ldap client

i have successfully join one remote machine as ldap client  to openldap with sssd  daemon

from remote machine the cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in  search command output is as below

 

[root@localhost ~]# ldapsearch -x -b cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
# extended LDIF
#
# LDAPv3
# base <cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# nj2, servers, groups, njgroup.in
dn: cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
cn: nj2
gidNumber: 517
objectClass: posixGroup
memberUid: pratik2
memberUid: rajesh1
memberUid: niraj1
memberUid: ankit5
memberUid: munin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 

i have setup my file /etc/pam_ldap.conf as below

base dc=njgroup,dc=in
uri ldap://myldapserverip/
pam_login_attribute uid
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
pam_member_attribute memberUid

Probelm if i remove the following value pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in from my /etc/pam_ldap.conf

All employee group users were able to login from remote ldap client

But  i want only the nj2 server membersuid can able to login

But when i add the following line as below to my /etc/pam_ldap.conf

pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in

None of the users were able to login via ssh

My /etc/sssd/sssd.conf  configuration as below

[domain/default]

ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=njgroup,dc=in
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
ldap_schema = rfc2307
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.3.64
access_provider = ldap
ldap_group_search_base = ou=servers,dc=groups,dc=njgroup,dc=in
ldap_group_member = memberUid
debug_level = 6
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
ldap_access_order = filter, host, authorized_service
ldap_tls_cacertdir = /etc/openldap/cacerts

My /etc/pam.d/sshd as below

#%PAM-1.0
auth       sufficient   /lib64/security/pam_ldap.so
auth       required     pam_sepermit.so
auth       include      password-auth
account    sufficient   /lib64/security/pam_ldap.so
account    required     pam_nologin.so
account    include      password-auth
password   sufficient   /lib64/security/pam_ldap.so
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    sufficient   /lib64/security/pam_ldap.so
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
~                                                                               
My /etc/nsswitch.conf as below

passwd:     files sss
shadow:     files sss
group:      files sss

 

So what is the issue in my configuration

please reply ASAP

 

 

 

PP

Responses