Redhat Enterprise Linux 6.3 Probelm with SSSD LDAP Authentication
Respected Sir
I have openldap server on RHEL6.3
base dn = dc=njgroup,dc=in
user group = ou=employee,dc=njgroup,dc=in (testing with one of the user name "niraj" member of employee group)
server group = cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
i want the only member of cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in can able to login from my remote ldap client
i have successfully join one remote machine as ldap client to openldap with sssd daemon
from remote machine the cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in search command output is as below
[root@localhost ~]# ldapsearch -x -b cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
# extended LDIF
#
# LDAPv3
# base <cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# nj2, servers, groups, njgroup.in
dn: cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
cn: nj2
gidNumber: 517
objectClass: posixGroup
memberUid: pratik2
memberUid: rajesh1
memberUid: niraj1
memberUid: ankit5
memberUid: munin
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
i have setup my file /etc/pam_ldap.conf as below
base dc=njgroup,dc=in
uri ldap://myldapserverip/
pam_login_attribute uid
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
pam_member_attribute memberUid
Probelm if i remove the following value pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in from my /etc/pam_ldap.conf
All employee group users were able to login from remote ldap client
But i want only the nj2 server membersuid can able to login
But when i add the following line as below to my /etc/pam_ldap.conf
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
None of the users were able to login via ssh
My /etc/sssd/sssd.conf configuration as below
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=njgroup,dc=in
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
ldap_schema = rfc2307
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.3.64
access_provider = ldap
ldap_group_search_base = ou=servers,dc=groups,dc=njgroup,dc=in
ldap_group_member = memberUid
debug_level = 6
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
ldap_access_order = filter, host, authorized_service
ldap_tls_cacertdir = /etc/openldap/cacerts
My /etc/pam.d/sshd as below
#%PAM-1.0
auth sufficient /lib64/security/pam_ldap.so
auth required pam_sepermit.so
auth include password-auth
account sufficient /lib64/security/pam_ldap.so
account required pam_nologin.so
account include password-auth
password sufficient /lib64/security/pam_ldap.so
password include password-auth
# pam_selinux.so close should be the first session rule
session sufficient /lib64/security/pam_ldap.so
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
~
My /etc/nsswitch.conf as below
passwd: files sss
shadow: files sss
group: files sss
So what is the issue in my configuration
please reply ASAP