Re: ldap host attribute is ignored

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 05/05/2015 11:14 AM, Ulrich Hiller wrote:

On 05/05/2015 06:47 PM, Gordon Messmer wrote:

This is wrong.  Don't use sss and ldap together.  It's redundant. At
best it will cause performance problems.

Get rid of the ldap module and see if the system starts working
correctly with just sssd.  It's possible that right now sssd is
correctly filtering users, but the PADL ldap module is providing them.


This was a good hint (i should have got the idea myself).
Now i set
passwd:     files ldap
shadow:     files ldap
group:      files ldap
That's exactly the opposite of what I suggested. Your system is now using the deprecated PADL ldap module for name service instead of sssd.
You should probably remove nscd and nss-pam-ldapd from your system entirely. They're deprecated, and they're going to waste your time. 


and got "pam_unix(sshd:auth): check pass; user unknown"
That seems consistent with having "ldap" in nsswitch.conf and no /etc/ldap.conf. 

Don't use "ldap".  Use "sss".


So, does it mean only the NSS is providing the ldap user information,
and sssd cannot read the pam information? So pam is not set up correctly?


That's a confusing question, so let me explain the stack a little.
At one end you have your applications. Everything that needs to resolve user names, groups, hosts, services, etc is here. For example, "ls". "ls" reads directories and stats files, those files have numeric user and group IDs, which need to be resolved to names.
In the middle you have glibc and its "nss" API. "nss" provides a single interface to applications for resolving names and numbers for the types defined in nsswitch.conf.
At the other end of the stack you have nss modules. These include the "unix" module which reads files in /etc, the deprecated LDAP module from PADL, and the sss module that's part of sssd.
(sssd extends the stack a little bit. it provides one interface to nss, and has its own modules to resolve names through LDAP and other directories)
PAM is completely separate from all of that. PAM provides authentication services. It's a completely different interface from resolving names and numbers.
So, right now it sounds like you have the system configured to read information from the "ldap" module, but that module needs /etc/ldap.conf. You should be using the "sss" module in nsswitch.conf instead. 


I am confused about what to do now.
Do i have to configure anything else in /etc/pam.d apart from system-auth?


You probably shouldn't ever touch the files in /etc/pam.d.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux