On 05/05/2015 06:47 PM, Gordon Messmer wrote: > On 05/05/2015 03:02 AM, Ulrich Hiller wrote: >> /etc/openldap/ldap.conf contains the line: >> ------------------------------------------ >> pam_check_host_attr yes > > /etc/openldap/ldap.conf is the configuration file for openldap clients. > It is not used for system authentication or name service. > >> 'pam_check_host_attr yes' is in /etc/openldap/ldap.conf. /etc/ldap.conf >> is a softlink to that file. > > Those two files have completely different syntax and are used by > different software. Don't symlink them. i deleted the link now. /etc/ldap.conf was not present before. I gave openldap > >> /etc/sssd/sssd.conf: >> -------------------- > > If you're using sssd, then you're not using (or shouldn't be using) the > PADL nss module. In that case, /etc/ldap.conf shouldn't even be present. > >> [domain/default] >> access_provider = ldap >> ldap_access_filter = memberOf=ou=YYYY,o=XXXX >> ldap_access_order = host > > ldap_access_filter should be an LDAP filter, not an OU. However, it's > only used when ldap_access_order=filter. When using > ldap_access_order=host, it should not be present. > ldap_access_filter is now commented out. >> in /etc/nscd.conf: > > nscd is also not used when using sssd. > >> /etc/nsswitch.conf: >> ................... >> passwd: files sss ldap >> shadow: files sss ldap >> group: files sss ldap > > This is wrong. Don't use sss and ldap together. It's redundant. At > best it will cause performance problems. > > Get rid of the ldap module and see if the system starts working > correctly with just sssd. It's possible that right now sssd is > correctly filtering users, but the PADL ldap module is providing them. > This was a good hint (i should have got the idea myself). Now i set passwd: files ldap shadow: files ldap group: files ldap and got "pam_unix(sshd:auth): check pass; user unknown" the same when i set in sssd.conf services = pam So, does it mean only the NSS is providing the ldap user information, and sssd cannot read the pam information? So pam is not set up correctly? I am confused about what to do now. Do i have to configure anything else in /etc/pam.d apart from system-auth? With kind regards, ulrich _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos