LDAP integration for linux client authentication

602 views
Skip to first unread message

Sharad Jash

unread,
Feb 28, 2019, 7:10:01 AM2/28/19
to VG...@googlegroups.com
Dear Members,

I'm configuring my LDAP server as authetication in a linux server.}
I'm using Linux Centos 7.4 as client with SSSD configured and opends as LDAP server.
Following is the config for SSSD in client.
***************************************************************
[domain/default]

autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=example,dc=in
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://develop.example.in:1389/
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
domains = default


***************************************************************

Also I have changed the files in  /etc/pam.d/password-auth-ac and /etc/pam.d/system-auth-ac
************************************************************************************************
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so
 
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so
 
password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so
 
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
********************************************************************************


and when I'm running getent command I'm getting the following output
# getent passwd sharad
sharad:*:2002:2002:sharad:/home/sharad:/bin/bash


But when I'm trying to login via SSH its giving permission denied(Following are logs of /var/log/secure )

Feb 28 17:19:38 krbdev sshd[18274]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=develop.example.in user=sharad
Feb 28 17:19:38 krbdev sshd[18274]: pam_sss(sshd:auth): received for user sharad: 7 (Authentication failure)
Feb 28 17:19:38 krbdev sshd[18274]: Failed password for sharad from 10.10.4.12 port 46392 ssh2

I'm unable to figure out why it is getting uid=0 when it is supposed to get 2002 as its UID.
Kindly suggest how we can resolve above mentioned issue.




Sham Arsiwala

unread,
Feb 28, 2019, 7:36:09 AM2/28/19
to vg...@googlegroups.com
Hi,

Try below might help.

Change auth section in /etc/pam.d/password-auth-ac to :

auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 500 quiet          <=====[1]
auth        [default=1 success=ok] pam_localuser.so  
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so forward_pass                                   <=====[2]
auth        required      pam_deny.so

In change[1] pam_localuser will call pam_unix only when user exists in /etc/passwd .
Change[2] indicates that pam_sss should use the already entered password.


Sham Arsiwala

Sharad Jash

unread,
Mar 4, 2019, 11:52:56 AM3/4/19
to vg...@googlegroups.com
Thanks Sham for your help.
I'm getting closer but this time I end up getting additional error.

*******************************************************************************

Mar  3 17:59:52 krbdev sshd[7686]: pam_succeed_if(sshd:auth): requirement "uid >= 500" was met by user "sharad"
Mar  3 17:59:52 krbdev sshd[7686]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=kara.example.in user=sharad
Mar  3 17:59:59 krbdev sshd[7686]: pam_sss(sshd:auth): received for user sharad: 6 (Permission denied)

*******************************************************************************


Thanks in advance...
Sharad






--
Please read http://www.catb.org/~esr/faqs/smart-questions.html before posting.
You received this message because you are subscribed to the "Vibrant GNU/Linux User Group".
To stop receiving emails from this group, mail to VGLUG+un...@googlegroups.com
To post to this group, send email to VG...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/VGLUG

---
You received this message because you are subscribed to the Google Groups "VGLUG" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vglug+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Sham Arsiwala

unread,
Mar 4, 2019, 9:05:01 PM3/4/19
to vg...@googlegroups.com

Sharad Jash

unread,
Mar 6, 2019, 11:16:12 AM3/6/19
to vg...@googlegroups.com
Thanks Sham for your inputs.
I changed the following in sssd.conf and it worked.

access_provider = permit
ldap_tls_reqcert = never

After going through the logs I got to know that if you are NOT specifying SSL/TLS certificate to be verified at server side explicitly write it in conf using the 2nd line.

Thanks once again for your efforts.


Best Regards,
Sharad

--

Sham Arsiwala

unread,
Mar 6, 2019, 12:09:41 PM3/6/19
to vg...@googlegroups.com
Hi,

That’s Gr8.

Thanks 

Sham Arsiwala

Reply all
Reply to author
Forward
0 new messages