Help setting up SSSD on RedHat 7 server for use with OpenLDAP & vsftpd
First off, I'm new to SSSD, and still learning LDAP. Right now I'm attempting to set up a server so our users can authenticate in Filezilla to their OpenLDAP account using sssd on a RedHat 7 server. I'm getting errors, but not sure how to correct them. At first I was thinking that the error line "no uid provided for [dlemp] in domain [default] was the issue. It's weird though because above that in the log it clearly states that it's searching uid=dlemp.
I've been researching this off and on for a few days now, but I feel like I'm at a dead end. Anyone have any thoughts or suggestions on this? I'll post the errors and my sssd.conf file. If anyone wants to see any other files let me know. Thanks! Code:
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=dlemp)(objectclass=inetOrgPerson)(&(cn=*)(!(cn=0))))][dc=CENSORED,dc=CENSORED]. Code:
(Wed Oct 14 09:40:08 2015) [sssd[be[default]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] Code:
[sssd] |
Forgot to mention, my ldapsearch command does complete successfully. So I'm not sure if it's a mapping issue between ldap/sssd/Filezilla, or what my issue is. Here's the ldapsearch command for reference...
Code:
[root@localhost sssd]# ldapsearch -x -D cn=CENSORED,dc=CENSORED,dc=CENSORED -w CENSORED -ZZ -H ldap://CENSORED -b uid=dlemp,ou=CENSORED,dc=CENSORED,dc=CENSORED |
Hi there,
without going through your configuration I can suggest you to follow the REHL 6/7 specs to set up what you are looking for. Here is the reference page for your convenience: Full: https://access.redhat.com/documentat...ntication.html sssd.conf: https://access.redhat.com/documentat...sssd.conf.html nothing easier then setting up sssd with ldap. Follow the instructions and if any issues ping back here with where you are. |
Hi ostendali, thanks for the quick reply! Unfortunately I have been following that documentation pretty closely. It may not look like it from my current sssd.conf file, but I have been making tweaks, trying to get it to work. What other config files would you like to see?
Here's the error that's in my /var/log/secure log, it may lead to something: Code:
Oct 14 13:40:02 localhost sshd[7437]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=CENSORED IP ADDRESS user=dlemp |
Quote:
Can you post the content of your nsswitch.conf pls? |
Code:
# |
Quote:
just a couple more details I need here. can you provide: 1) default PAM config 2) /etc/openldap/ldap.conf 3) and last run "authconfig --test" to make sure your configuration is fine all over. let's give it a try and see if we can locate the issue. PS: I do have ldap/sssd configured on my systems and using them with no issue.... |
If I had to guess, I'd think it's something wonky with my sssd-ldap search filter. But I'm no expert, and it really could be anything. Here's the files you requested. Thanks!
1) default PAM config Here's my pam.d/password-auth file, is that what you're looking for? Code:
PAM-1.0 Code:
# Code:
[root@web ~]# authconfig --test |
well roughly all looks good from what I could see/check...
the only thing I am not sure about it if given the ldap cacert directory will suffice as in my configuration I had to specify the ca.crt for ldap.conf and sssd.conf (or pem bundle whatever you have actually). But I am not that sure if this is the cause. Maybe try to give the cert file (without removing the cacert directive which is already in the conf files). Furthermore, checking closer your logs, it looks like pam_sss can't find/lookup the user dlemp. The user lookup is usually fetched from nss_ldap module, means pam_sss doesn't perform a full getpwnam()/getpwuid() lookup through the whole NSS stack. try to run "getent passwd -s sss dlemp" Also I am assuming you have already set PAM to yes in sshd.conf file right? From the log symptoms it doesn't look like selinux/iptables issue but it is worth to check them as well. Plus, I see your NIS domain empty. |
I added TLSCertificateFile /etc/openldap/cacerts/SERVERNAME.pem to the ldap.conf file.
Also added ldap_tls_cacert = /etc/openldap/cacerts/SERVERNAME.pem to the sssd.conf file. PAM is set to yes. Not really sure what the NIS domain is or if I need to set it up. Running the command "getent passwd -s sss dlemp" doesn't do anything. Hope that helps! |
Oh, and firewall and selinux are both off for testing purposes, so those shouldn't be a factor.
|
Quote:
NIS domain is the domain name you use for ldaps://example.com, so NIS should be example.com (replacing your domain of course). |
All times are GMT -5. The time now is 09:13 AM. |