Fedora 14: GDM, sssd and LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm trying to get the GDM login manager to work with sssd and LDAP authentication. So far one can login with ssh, getent passwd shows all LDAP users and su - also works. But GDM says "Authentication failure". I searched Google for this but did not found something useful or just for old Fedora releases or without the new fancy sssd. The kickstart "authconfig" command or the GUI "system-config-authentication" did not produce any config that worked. We are using Sun sirectory server.

I also noticed that there are lot of places where to configugure LDAP client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf, /etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on the Fedora 14 DVD. Also the autofs package is missing on the DVD.

How can one get the graphical login manager to work with LDAP authentication via sssd?

My config:


/etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss


/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
debug_level = 10
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = LOCAL,LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = mypassword
ldap_user_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=group,dc=example,dc=com
ldap_tls_reqcert = never
cache_credentials = true
enumerate = true

/etc/pam.d/gdm

auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth       required    pam_succeed_if.so user != root quiet
auth       required    pam_env.so
auth       substack    system-auth
auth       optional    pam_gnome_keyring.so
account    required    pam_nologin.so
account    include     system-auth
password   include     system-auth
session    required    pam_selinux.so close
session    required    pam_loginuid.so
session    optional    pam_console.so
session    required    pam_selinux.so open
session    optional    pam_keyinit.so force revoke
session    required    pam_namespace.so
session    optional    pam_gnome_keyring.so auto_start
session    include     system-auth

/etc/pam.d/gdm-password
 
auth     [success=done ignore=ignore default=bad] pam_selinux_permit.so
auth        substack      password-auth
auth        required      pam_succeed_if.so user != root quiet
auth        optional      pam_gnome_keyring.so

account     required      pam_nologin.so
account     include       password-auth

password    include       password-auth

session     required      pam_selinux.so close
session     required      pam_loginuid.so
session     optional      pam_console.so
session     required      pam_selinux.so open
session     optional      pam_keyinit.so force revoke
session     required      pam_namespace.so
session     optional      pam_gnome_keyring.so auto_start
session     include       password-auth


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux