-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/10/2010 02:44 AM, Bernd Nies wrote: > Hi, > > I'm trying to get the GDM login manager to work with sssd and LDAP > authentication. So far one can login with ssh, getent passwd shows all > LDAP users and su - also works. But GDM says "Authentication failure". I > searched Google for this but did not found something useful or just for > old Fedora releases or without the new fancy sssd. The kickstart > "authconfig" command or the GUI "system-config-authentication" did not > produce any config that worked. We are using Sun sirectory server. > > I also noticed that there are lot of places where to configugure LDAP > client config: /etc/sssd/sssd.conf, /etc/openldap/ldap.conf, > /etc/sysconfig/autofs. The packages pam_ldap and nss_ldap are missing on > the Fedora 14 DVD. Also the autofs package is missing on the DVD. > > How can one get the graphical login manager to work with LDAP > authentication via sssd? > > My config: > > > /etc/nsswitch.conf > > passwd: files sss > shadow: files sss > group: files sss > > > /etc/sssd/sssd.conf > > [sssd] > config_file_version = 2 > debug_level = 10 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = LOCAL,LDAP > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > > [pam] > reconnection_retries = 3 > > [domain/LOCAL] > description = LOCAL Users domain > id_provider = local > enumerate = true > min_id = 500 > max_id = 999 > > [domain/LDAP] > id_provider = ldap > auth_provider = ldap > ldap_schema = rfc2307 > ldap_uri = ldap://ldap.example.com <http://ldap.example.com> > ldap_search_base = dc=example,dc=com > ldap_default_bind_dn = cn=proxyagent,ou=special_users,dc=example,dc=com > ldap_default_authtok_type = password > ldap_default_authtok = mypassword > ldap_user_search_base = ou=people,dc=example,dc=com > ldap_group_search_base = ou=group,dc=example,dc=com > ldap_tls_reqcert = never > cache_credentials = true > enumerate = true > > /etc/pam.d/gdm > > auth [success=done ignore=ignore default=bad] pam_selinux_permit.so > auth required pam_succeed_if.so user != root quiet > auth required pam_env.so > auth substack system-auth > auth optional pam_gnome_keyring.so > account required pam_nologin.so > account include system-auth > password include system-auth > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > session required pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_namespace.so > session optional pam_gnome_keyring.so auto_start > session include system-auth > > /etc/pam.d/gdm-password > > auth [success=done ignore=ignore default=bad] pam_selinux_permit.so > auth substack password-auth > auth required pam_succeed_if.so user != root quiet > auth optional pam_gnome_keyring.so > > account required pam_nologin.so > account include password-auth > > password include password-auth > > session required pam_selinux.so close > session required pam_loginuid.so > session optional pam_console.so > session required pam_selinux.so open > session optional pam_keyinit.so force revoke > session required pam_namespace.so > session optional pam_gnome_keyring.so auto_start > session include password-auth > > Check out your /etc/pam.d/password-auth and compare it to /etc/pam.d/system-auth. Most services rely on system-auth (which is why everything but GDM is working) but GDM's multiple authentication stack approach requires that password-auth also be updated to use pam_sss.so. Alternately, you could run the authconfig-gtk UI and set up LDAP there (which will handle all of the PAM setup) and then manually edit sssd.conf to make the tweaks you want. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkzahjoACgkQeiVVYja6o6M0QQCeLqHvlEykBpe1rDyyvPtvzcR/ jFoAmwRMEzm9WsPW9f59lO0rxbIjQER9 =l38W -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
