Redhat Enterprise Linux 6.3 Probelm with SSSD LDAP Authentication
Respected Sir
I have openldap server on RHEL6.3
base dn = dc=njgroup,dc=in
user group = ou=employee,dc=njgroup,dc=in (testing with one of the user name "niraj" member of employee group)
server group = cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
i want the only member of cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in can able to login from my remote ldap client
i have successfully join one remote machine as ldap client to openldap with sssd daemon
from remote machine the cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in search command output is as below
[root@localhost ~]# ldapsearch -x -b cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
# extended LDIF
#
# LDAPv3
# base <cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# nj2, servers, groups, njgroup.in
dn: cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
cn: nj2
gidNumber: 517
objectClass: posixGroup
memberUid: pratik2
memberUid: rajesh1
memberUid: niraj1
memberUid: ankit5
memberUid: munin
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
i have setup my file /etc/pam_ldap.conf as below
base dc=njgroup,dc=in
uri ldap://myldapserverip/
pam_login_attribute uid
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
pam_member_attribute memberUid
Probelm if i remove the following value pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in from my /etc/pam_ldap.conf
All employee group users were able to login from remote ldap client
But i want only the nj2 server membersuid can able to login
But when i add the following line as below to my /etc/pam_ldap.conf
pam_groupdn cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
None of the users were able to login via ssh
My /etc/sssd/sssd.conf configuration as below
[domain/default]
ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=njgroup,dc=in
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
ldap_schema = rfc2307
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.3.64
access_provider = ldap
ldap_group_search_base = ou=servers,dc=groups,dc=njgroup,dc=in
ldap_group_member = memberUid
debug_level = 6
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
ldap_access_order = filter, host, authorized_service
ldap_tls_cacertdir = /etc/openldap/cacerts
My /etc/pam.d/sshd as below
#%PAM-1.0
auth sufficient /lib64/security/pam_ldap.so
auth required pam_sepermit.so
auth include password-auth
account sufficient /lib64/security/pam_ldap.so
account required pam_nologin.so
account include password-auth
password sufficient /lib64/security/pam_ldap.so
password include password-auth
# pam_selinux.so close should be the first session rule
session sufficient /lib64/security/pam_ldap.so
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
~
My /etc/nsswitch.conf as below
passwd: files sss
shadow: files sss
group: files sss
So what is the issue in my configuration
please reply ASAP
Responses
Hello,
If you are using sssd authenitcation, the pam_sss will not check /etc/pam_ldap.conf.
The correct way to achive this is use 'ldap_access_filter' option in sssd.conf file.
-------------------
ldap_access_filter = memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in
------------------
save and exit. Restart sssd service.
# service sssd restart
Hope this helps.
Regards,
Nirupama
Hi Pratik,
Perhaps the following will work for you? My experience is some of the cache is retained, so I have often deleted the cache.
/etc/init.d/sssd stop # stop sssd service \rm /var/lib/sss/db/* # remove cached files /etc/init.d/sssd start # start sssd service getent passwd --service=sss # make sure sssd is working
Hello,
Yup, as per Brian's comment above, please try clearing sssd cache.
Refer :
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch29s05s02.html
Thank you,
Nirupama
Hi Nirupama,
I have never considered this until now, but is there any way to disable offline caching? In my configuration we configure sssd to communicate with Active Directory. What if the user is disabled in Active Directory but the sssd loses connection to Active Directory? Then the user can still login.
Any way to completely disable caching? I'm just curious.
Hi Nirupama,
I have never considered this until now, but is there any way to disable offline caching? In my configuration we configure sssd to communicate with Active Directory. What if the user is disabled in Active Directory but the sssd loses connection to Active Directory? Then the user can still login.
Any way to completely disable caching? I'm just curious.
I am NOT proficient at SSSD (mostly because there seems to be so many components involved).
I would review:
/etc/nsswitch.conf (make sure you are using sss or compat referencing sss)
/etc/openldap/cacerts (or /etc/openldap/certs)
If you search this doc (https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html) for sssd.conf, you will find a reference to configuring your host for IPA. I believe the example applies to LDAP.
Also - if you did not configure your host using authconfig, I would recommend looking at that. For example:
# authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldaps://192.168.0.2,ldaps://192.168.0.3 --ldapbasedn=dc=company,dc=com --enableforcelegacy --enablecachecreds --enablesssd --disablefingerprint --disablelocauthorize --enablemkhomedir --update
authconfig touches a bunch of files depending on which options you provide. I am still trying to figure out exactly which files, myself ;-)
Hello,
It seems that pam_access_filter do not work with 'memberUid' attribute. The filter is used to search user's entry as baseDN, with scope=base, it very unlikely that filter will check memberUID value to match user's entry.
You need to add "memberOf" attribute in user entry on LDAP.
Hope this helps.
Regards,
Nirupama
Hi Nirupama,
Yes I should have noticed that, apologies. We are using Active Directory but we have to add each user to the group in AD in addition to the POSIX attributes.
Hello Bryan,
If you are using Windows AD the pam_access_filter should work for you. Please refer
https://access.redhat.com/site/solutions/65455
Hope this helps.
Regards,
Nirupama
Hello Pratik,
As you are using openldap, use 'objectClass: groupOfNames' in user's entry in openldap, this will allow you to add "memberOf=cn=nj2,ou=servers,ou=groups,dc=njgroup,dc=in" attribute in user's entry in LDAP.
As I mentioned previously the pam_access_filter do not work with 'memberUid' attribute. The filter is used to search user's entry as baseDN, with scope=base, it very unlikely that filter will check memberUID value to match user's entry.
Hope this helps,
Best Regards,
Nirupama
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
