Aim: authenticate to CentOS7 using LDAP
Problems
1) User cannot be found
calling ldap_search_ext with
[(&(uid=bla)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=my-domain,dc=com]
2) posixAccount objectClass not found
Questions
- How to add the objectClass
posixAccount
? - If this objectClass type cannot be found how to change the lookup of
sssd
allowing this software to find the user in OpenLDAP and allow the authentication to CentOS7?
Comprehensive
1) sssd
installed
2) ldap authentication using sssd configured on CentOS7
[root@controller ~]# authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
3) sssd debugging enabled
/etc/sssd/sssd.conf
[domain/default]
autofs_provider = ldap
cache_credentials = True
krb5_realm = #
ldap_search_base = dc=my-domain,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://<ipaddress>/
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 9
4) Test login using LDAP
[root@controller ~]# id Manager
id: Manager: no such user
5) Debugging
/var/log/sssd/sssd_default.log
(Thu Jul 2 22:31:46 2015) [sssd[be[default]]] [sdap_search_user_next_base] (0x04
00): Searching for users with base [dc=my-domain,dc=com]
(Thu Jul 2 22:31:46 2015) [sssd[be[default]]] [sdap_print_server] (0x2000): Sear
ching <ipaddress>
(Thu Jul 2 22:31:46 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x040
0): calling ldap_search_ext with [(&(uid=bla)(objectclass=posixAccount)(uid=*)(&(
uidNumber=*)(!(uidNumber=0))))][dc=my-domain,dc=com].
(Thu Jul 2 22:31:46 2015) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x100
0): Requesting attrs: [objectClass]
6) Unable to add a posixAccount
objectClass
Best Answer
You didn't really say what your LDAP server was or how a user in your LDAP directory looks like, but I'll try answer as best as I can.
At the moment, SSSD serves only POSIX accounts. That means the the user object on the server side either has to have name and numerical IDs or the numerical IDs must be inferred from Windows SID.
The actual objectClass doesn't really matter. All you need is to configure sssd.conf with the objectClass your server uses and the attribute that contains the ID. See
man sssd-ldap
for more details, but the two config options you might be interested in areldap_user_uid_number
andldap_user_object_class
.If the server is a MSAD, you should ideally use
id_provider=ad
which algorithmically maps SIDs to IDs.