I'm trying to get the GDM login manager to work with sssd and LDAP authentication. So far one can login with ssh, getent passwd shows all LDAP users and su - also works. But GDM says "Authentication failure". I searched Google for this but did not found something useful or just for old Fedora releases or without the new fancy sssd. The kickstart "authconfig" command or the GUI "system-config-authentication" did not produce any config that worked. We are using Sun sirectory server.
I also noticed that there are lot of places where to configugure LDAP client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf, /etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on the Fedora 14 DVD. Also the autofs package is missing on the DVD.
How can one get the graphical login manager to work with LDAP authentication via sssd?
My config:
/etc/nsswitch.conf
passwd: Â Â files sss
shadow: Â Â files sss
group: Â Â Âfiles sss
shadow: Â Â files sss
group: Â Â Âfiles sss
/etc/sssd/sssd.conf
[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true
/etc/pam.d/gdmconfig_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true
authÂÂÂÂ [success=done ignore=ignore default=bad] pam_selinux_permit.so
authÂÂÂÂÂÂ requiredÂÂÂ pam_succeed_if.so user != root quiet
authÂÂÂÂÂÂ requiredÂÂÂ pam_env.so
authÂÂÂÂÂÂ substackÂÂÂ system-auth
authÂÂÂÂÂÂ optionalÂÂÂ pam_gnome_keyring.so
accountÂÂÂ requiredÂÂÂ pam_nologin.so
accountÂÂÂ includeÂÂÂÂ system-auth
passwordÂÂ includeÂÂÂÂ system-auth
sessionÂÂÂ requiredÂÂÂ pam_selinux.so close
sessionÂÂÂ requiredÂÂÂ pam_loginuid.so
sessionÂÂÂ optionalÂÂÂ pam_console.so
sessionÂÂÂ requiredÂÂÂ pam_selinux.so open
sessionÂÂÂ optionalÂÂÂ pam_keyinit.so force revoke
sessionÂÂÂ requiredÂÂÂ pam_namespace.so
sessionÂÂÂ optionalÂÂÂ pam_gnome_keyring.so auto_start
sessionÂÂÂ includeÂÂÂÂ system-auth
authÂÂÂÂÂÂ requiredÂÂÂ pam_succeed_if.so user != root quiet
authÂÂÂÂÂÂ requiredÂÂÂ pam_env.so
authÂÂÂÂÂÂ substackÂÂÂ system-auth
authÂÂÂÂÂÂ optionalÂÂÂ pam_gnome_keyring.so
accountÂÂÂ requiredÂÂÂ pam_nologin.so
accountÂÂÂ includeÂÂÂÂ system-auth
passwordÂÂ includeÂÂÂÂ system-auth
sessionÂÂÂ requiredÂÂÂ pam_selinux.so close
sessionÂÂÂ requiredÂÂÂ pam_loginuid.so
sessionÂÂÂ optionalÂÂÂ pam_console.so
sessionÂÂÂ requiredÂÂÂ pam_selinux.so open
sessionÂÂÂ optionalÂÂÂ pam_keyinit.so force revoke
sessionÂÂÂ requiredÂÂÂ pam_namespace.so
sessionÂÂÂ optionalÂÂÂ pam_gnome_keyring.so auto_start
sessionÂÂÂ includeÂÂÂÂ system-auth
/etc/pam.d/gdm-password
Â
authÂÂÂÂ [success=done ignore=ignore default=bad] pam_selinux_permit.so
authÂÂÂÂÂÂÂ substackÂÂÂÂÂ password-auth
authÂÂÂÂÂÂÂ requiredÂÂÂÂÂ pam_succeed_if.so user != root quiet
authÂÂÂÂÂÂÂ optionalÂÂÂÂÂ pam_gnome_keyring.so
accountÂÂÂÂ requiredÂÂÂÂÂ pam_nologin.so
accountÂÂÂÂ includeÂÂÂÂÂÂ password-auth
passwordÂÂÂ includeÂÂÂÂÂÂ password-auth
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_selinux.so close
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_loginuid.so
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_console.so
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_selinux.so open
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_keyinit.so force revoke
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_namespace.so
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_gnome_keyring.so auto_start
sessionÂÂÂÂ includeÂÂÂÂÂÂ password-auth
authÂÂÂÂÂÂÂ substackÂÂÂÂÂ password-auth
authÂÂÂÂÂÂÂ requiredÂÂÂÂÂ pam_succeed_if.so user != root quiet
authÂÂÂÂÂÂÂ optionalÂÂÂÂÂ pam_gnome_keyring.so
accountÂÂÂÂ requiredÂÂÂÂÂ pam_nologin.so
accountÂÂÂÂ includeÂÂÂÂÂÂ password-auth
passwordÂÂÂ includeÂÂÂÂÂÂ password-auth
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_selinux.so close
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_loginuid.so
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_console.so
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_selinux.so open
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_keyinit.so force revoke
sessionÂÂÂÂ requiredÂÂÂÂÂ pam_namespace.so
sessionÂÂÂÂ optionalÂÂÂÂÂ pam_gnome_keyring.so auto_start
sessionÂÂÂÂ includeÂÂÂÂÂÂ password-auth
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
