On 05/06/2015 07:24 AM, Ulrich Hiller wrote:
Now i have removed the 'ldap' from the /etc/nsswitch.conf. Now it looks
like this:
Looks good.
My /etc/openldap/ldap.conf is this:
OK, but that file isn't used for name service or authentication. Mostly
just the openldap tools (ldapsearch, ldapadd, ldapmodify).
The sssd.conf is this:
...
[nss]
filter_groups = root
filter_users = root
nitpick: those are the defaults. Probably don't need to set them.
[domain/default]
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_reqcert = never
Not sure about that setting. "allow" is probably what you want if
you're using starttls.
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
...
When i stop the sssd deamon, no login at all is possible.
OK. Remember that previously you had both sssd and ldap configured to
provide user information.
You'll want to watch the logs for more information.
Start by determining whether the problem is in the name service or
authentication step. Use "id <user>" or "getent passwd <user>" to
determine whether user information is available through sssd. If it is
not, then you probably want to start paring out settings that you added
(assuming that you started with a file written by authconfig) until
that's working.
If user data is available, then start looking at your pam configuration.
It looks like you made some changes there, and not all of them make
sense. In the auth stack, you're calling pam_unix.so twice. Remove the
last one. You've also marked pam_sss.so as required instead of
sufficient, which is definitely wrong. On success of a "sufficient"
module, processing stops. On success of a "required" module, processing
will continue, and will reach pam_deny.so. See the man page for
pam.conf for more information.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
