Ldap – How to authenticate to CentOS7 using LDAP if the posixAccount objectClass is unavailable

Aim: authenticate to CentOS7 using LDAP

Problems

1) User cannot be found

calling ldap_search_ext with 
[(&(uid=bla)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=my-domain,dc=com]

2) posixAccount objectClass not found

Questions

How to add the objectClass posixAccount?
If this objectClass type cannot be found how to change the lookup of sssd allowing this software to find the user in OpenLDAP and allow the authentication to CentOS7?

Comprehensive

1) sssd installed

2) ldap authentication using sssd configured on CentOS7

[root@controller ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update

3) sssd debugging enabled

/etc/sssd/sssd.conf

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=my-domain,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://<ipaddress>/
ldap_tls_cacertdir = /etc/openldap/cacerts

debug_level = 9

4) Test login using LDAP

[root@controller ~]# id Manager
id: Manager: no such user

5) Debugging

/var/log/sssd/sssd_default.log

(Thu Jul  2 22:31:46 2015) [sssd[be[default]]] [sdap_search_user_next_base] (0x04
00): Searching for users with base [dc=my-domain,dc=com]
(Thu Jul  2 22:31:46 2015) [sssd[be[default]]] [sdap_print_server] (0x2000): Sear
ching <ipaddress>
(Thu Jul  2 22:31:46 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x040
0): calling ldap_search_ext with [(&(uid=bla)(objectclass=posixAccount)(uid=*)(&(
uidNumber=*)(!(uidNumber=0))))][dc=my-domain,dc=com].
(Thu Jul  2 22:31:46 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x100
0): Requesting attrs: [objectClass]

6) Unable to add a posixAccount objectClass

enter image description here

Best Answer

You didn't really say what your LDAP server was or how a user in your LDAP directory looks like, but I'll try answer as best as I can.

At the moment, SSSD serves only POSIX accounts. That means the the user object on the server side either has to have name and numerical IDs or the numerical IDs must be inferred from Windows SID.

The actual objectClass doesn't really matter. All you need is to configure sssd.conf with the objectClass your server uses and the attribute that contains the ID. See man sssd-ldap for more details, but the two config options you might be interested in are ldap_user_uid_number and ldap_user_object_class.

If the server is a MSAD, you should ideally use id_provider=ad which algorithmically maps SIDs to IDs.

Best Answer

Related Solutions

LDAP – Adding inetOrgPerson to Account/posixAccount Entries

Centos – How to authenticate with LDAP via the command line

Related Topic