Redhat Enterprise Linux 6.3 Probelm with SSSD LDAP Authentication

Latest response

Respected Sir

I have openldap server on RHEL6.3

base dn = dc=njgroup,dc=in

user group = ou=employee,dc=njgroup,dc=in (testing with one of the user name "niraj" member of employee group)

server group = cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in

 

i want the only member of cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in can able to login from my remote ldap client

i have successfully join one remote machine as ldap client  to openldap with sssd  daemon

from remote machine the cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in  search command output is as below

 

[root@localhost ~]# ldapsearch -x -b cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
# extended LDIF
#
# LDAPv3
# base <cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# nj2, servers, groups, njgroup.in
dn: cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
cn: nj2
gidNumber: 517
objectClass: posixGroup
memberUid: pratik2
memberUid: rajesh1
memberUid: niraj1
memberUid: ankit5
memberUid: munin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 

i have setup my file /etc/pam_ldap.conf as below

base dc=njgroup,dc=in
uri ldap://myldapserverip/
pam_login_attribute uid
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
pam_member_attribute memberUid

Probelm if i remove the following value pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in from my /etc/pam_ldap.conf

All employee group users were able to login from remote ldap client

But  i want only the nj2 server membersuid can able to login

But when i add the following line as below to my /etc/pam_ldap.conf

pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in

None of the users were able to login via ssh

My /etc/sssd/sssd.conf  configuration as below

[domain/default]

ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=njgroup,dc=in
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
ldap_schema = rfc2307
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.3.64
access_provider = ldap
ldap_group_search_base = ou=servers,dc=groups,dc=njgroup,dc=in
ldap_group_member = memberUid
debug_level = 6
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
ldap_access_order = filter, host, authorized_service
ldap_tls_cacertdir = /etc/openldap/cacerts

My /etc/pam.d/sshd as below

#%PAM-1.0
auth       sufficient   /lib64/security/pam_ldap.so
auth       required     pam_sepermit.so
auth       include      password-auth
account    sufficient   /lib64/security/pam_ldap.so
account    required     pam_nologin.so
account    include      password-auth
password   sufficient   /lib64/security/pam_ldap.so
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    sufficient   /lib64/security/pam_ldap.so
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
~                                                                               
My /etc/nsswitch.conf as below

passwd:     files sss
shadow:     files sss
group:      files sss

 

So what is the issue in my configuration

please reply ASAP

 

 

 

Responses

Hello,

If you are using sssd authenitcation, the pam_sss will not check /etc/pam_ldap.conf.

The correct way to achive this is use 'ldap_access_filter' option in sssd.conf file.

-------------------

ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in

------------------

save and exit. Restart sssd service.

# service sssd restart

Hope this helps.

Regards,

Nirupama

My /etc/sssd/sssd.conf  configuration as below

[domain/default]

ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=njgroup,dc=in
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
ldap_schema = rfc2307
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.3.64
access_provider = ldap
ldap_group_search_base = ou=servers,dc=groups,dc=njgroup,dc=in
ldap_group_member = memberUid
debug_level = 6
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
ldap_access_order = filter, host, authorized_service
ldap_tls_cacertdir = /etc/openldap/cacerts

My /etc/pam.d/sshd as below

#%PAM-1.0
auth       sufficient   /lib64/security/pam_ldap.so
auth       required     pam_sepermit.so
auth       include      password-auth
account    sufficient   /lib64/security/pam_ldap.so
account    required     pam_nologin.so
account    include      password-auth
password   sufficient   /lib64/security/pam_ldap.so
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    sufficient   /lib64/security/pam_ldap.so
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
~                                                                               
My /etc/nsswitch.conf as below

passwd:     files sss
shadow:     files sss
group:      files sss

The login is tested via ssh

required to work sssd with ldap through ssh login so we have modified the /etc/pam.d/sshd as above

is it correct

the filter what is specified is not working all the users of employee groups are able to login through sshd to my nj2 server

 

Hi Pratik,

Perhaps the following will work for you?  My experience is some of the cache is retained, so I have often deleted the cache.

 

/etc/init.d/sssd stop       # stop sssd service
\rm /var/lib/sss/db/*       # remove cached files
/etc/init.d/sssd start      # start sssd service
getent passwd --service=sss # make sure sssd is working

Hello,

 

Yup, as per Brian's comment above, please try clearing sssd cache.

Refer :

https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch29s05s02.html

Thank you,

Nirupama

Hi Nirupama,

I have never considered this until now, but is there any way to disable offline caching?  In my configuration we configure sssd to communicate with Active Directory.  What if the user is disabled in Active Directory  but the sssd loses connection to Active Directory?  Then the user can still login.

Any way to completely disable caching?  I'm just curious.

Hi Nirupama,

I have never considered this until now, but is there any way to disable offline caching?  In my configuration we configure sssd to communicate with Active Directory.  What if the user is disabled in Active Directory  but the sssd loses connection to Active Directory?  Then the user can still login.

Any way to completely disable caching?  I'm just curious.

i have remove the cache and started the sssd service sucessfully but still the user cant able to login

the following log /var/log/sssd/sssd_default.log showing following error message

(Mon May  6 23:20:32 2013) [sssd[be[default]]] [sysdb_search_users] (0x0400): Search users with filter: (&(objectclass=user)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367862632)(!(lastLogin=*))))
(Mon May  6 23:20:32 2013) [sssd[be[default]]] [sysdb_search_users] (0x0400): No such entry
(Mon May  6 23:20:32 2013) [sssd[be[default]]] [sysdb_search_groups] (0x0400): Search groups with filter: (&(objectclass=group)(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1367862632)))
(Mon May  6 23:20:32 2013) [sssd[be[default]]] [sysdb_search_groups] (0x0400): No such entry
(Mon May  6 23:20:32 2013) [sssd[be[default]]] [ldap_id_cleanup_set_timer] (0x0400): Scheduling next cleanup at 1367873432.656350
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=niraj1]
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server '192.168.3.64' as 'resolving name'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server '192.168.3.64' as 'name resolved'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [be_resolve_server_done] (0x0200): Found address for server 192.168.3.64: [192.168.3.64] TTL 7200
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://192.168.3.64'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [get_naming_context] (0x0200): Using value from [namingContexts] as naming context.
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_set_search_base] (0x0100): Setting option [ldap_sudo_search_base] to [dc=njgroup,dc=in].
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [common_parse_search_base] (0x0100): Search base added: [SUDO][dc=njgroup,dc=in][SUBTREE][]
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn!
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: (null)
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [simple_bind_done] (0x0200): Server returned no controls.
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [simple_bind_done] (0x0080): Bind result: Success(0), no errmsg set
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server '192.168.3.64' as 'working'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server '192.168.3.64' as 'working'
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_users_next_base] (0x0400): Searching for users with base [dc=njgroup,dc=in]
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=niraj1)(objectclass=posixAccount))][dc=njgroup,dc=in].
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_get_users_process] (0x0400): Search for users, returned 1 results.
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user niraj1
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sysdb_search_user_by_name] (0x0400): No such entry
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [sysdb_search_user_by_uid] (0x0400): No such entry
(Mon May  6 23:20:35 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [3][1][name=niraj1]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_initgr_next_base] (0x0400): Searching for users with base [dc=njgroup,dc=in]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=niraj1)(objectclass=posixAccount))][dc=njgroup,dc=in].
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_save_user] (0x0400): Storing info for user niraj1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_initgr_rfc2307_next_base] (0x0400): Searching for groups with base [ou=servers,dc=groups,dc=njgroup,dc=in]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberUid=niraj1)(objectclass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][ou=servers,dc=groups,dc=njgroup,dc=in].
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: No such object(32), no errmsg set
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): user: niraj1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 192.168.1.40
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 9
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 1813
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_resolve_server_done] (0x0200): Found address for server 192.168.3.64: [192.168.3.64] TTL 7200
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server '192.168.3.64' as 'working'
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server '192.168.3.64' as 'working'
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=niraj1,ou=employee,dc=njgroup,dc=in
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [simple_bind_done] (0x0200): Server returned no controls.
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [simple_bind_done] (0x0080): Bind result: Success(0), no errmsg set
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [0][default]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [0][default]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler] (0x0100): Got request with the following data
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): command: PAM_ACCT_MGMT
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): domain: default
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): user: niraj1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): service: sshd
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): tty: ssh
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): ruser:
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): rhost: 192.168.1.40
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok type: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): authtok size: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok type: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): newauthtok size: 0
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): priv: 1
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [pam_print_data] (0x0100): cli_pid: 1813
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_access_send] (0x0400): Performing access check for user [niraj1]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [niraj1]
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=niraj1)(objectclass=posixAccount)(memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in))][uid=niraj1,ou=employee,dc=njgroup,dc=in].
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0400): Search result: Success(0), no errmsg set
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0100): User [niraj1] was not found with the specified filter. Denying access.
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [sdap_access_filter_get_access_done] (0x0400): Access denied by online lookup
(Mon May  6 23:20:40 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success]
(Mon May  6 23:20:41 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [6][default]
(Mon May  6 23:20:41 2013) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [6][default]
 

 

it showing that niraj1 is not foud with the specified filter but from the same server if i have done ldap query the niraj1 user is available as a memberuid in the nj2 server group

output as below

 

[root@localhost db]# ldapsearch -x -b "cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in"
# extended LDIF
#
# LDAPv3
# base <cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# nj2, servers, groups, njgroup.in
dn: cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
cn: nj2
gidNumber: 517
objectClass: posixGroup
memberUid: pratik2
memberUid: rajesh1
memberUid: niraj1
memberUid: ankit5
memberUid: munin

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
 

I believe if you add the following to /etc/sssd/sssd.conf

[domain/default]

cache_credentials = True

That would take care of the caching (unless you are still using nscd), which you then also need (/etc/nscd.conf)

enable-cache        passwd        no

enable-cache        group        no

I am NOT proficient at SSSD (mostly because there seems to be so many components involved).

I would review:

/etc/nsswitch.conf (make sure you are using sss or compat referencing sss)

/etc/sysconfig/authconfig

/etc/pam.d/password-auth-ac

/etc/pam.d/system-auth-ac

/etc/openldap/cacerts (or /etc/openldap/certs)

 

If you search this doc (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html) for sssd.conf, you will find a reference to configuring your host for IPA.  I believe the example applies to LDAP.

Also - if you did not configure your host using authconfig, I would recommend looking at that.  For example:

# authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldaps://192.168.0.2,ldaps://192.168.0.3 --ldapbasedn=dc=company,dc=com --enableforcelegacy --enablecachecreds --enablesssd --disablefingerprint --disablelocauthorize --enablemkhomedir --update

authconfig touches a bunch of files depending on which options you provide.  I am still trying to figure out exactly which files, myself ;-)

Hello,

It seems that pam_access_filter do not work with 'memberUid' attribute. The filter is used to search user's entry as baseDN, with scope=base, it very unlikely that filter will check memberUID value to match user's entry.

You need to add "memberOf"  attribute in user entry on LDAP.

Hope this helps.

Regards,

Nirupama

 

Hi Nirupama,

Yes I should have noticed that, apologies.  We are using Active Directory but we have to add each user to the group in AD in addition to the POSIX attributes.

Hello Bryan,

If you are using Windows AD the pam_access_filter should work for you. Please refer

https://access.redhat.com/site/solutions/65455

Hope this helps.

Regards,

Nirupama

 

 

 

 

 

 

I am not using windows AD we are using OPENLDAP Server

and if i specified the ldap_access_filter under /etc/sssd/sssd.conf user was unable to search in that filter but in my above post user is residing in the group "nj2" 

Please reply ASAP

 

Hello Pratik,

As you are using openldap, use 'objectClass: groupOfNames' in user's entry in openldap, this will allow you to add "memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in" attribute in user's entry in LDAP.

As I mentioned previously the pam_access_filter do not work with 'memberUid' attribute. The filter is used to search user's entry as baseDN, with scope=base, it very unlikely that filter will check memberUID value to match user's entry.

Hope this helps,

Best Regards,

Nirupama

 

I have add the objectclass groupofNames to my openldap server and now it working as per our need

Thanks for your kind support