I have installed openldap on centos 7 minimum and added a user newuser01 to the database successfuly. ldapsearch works fine with both the master and the client using this format:
ldapsearch -H ldaps://provider.example.com -x -D "cn=Manager,dc=example,dc=com" -W
But getent passwd -s sss newuser01
or getent passwd newuer01
returns nothing on both client and master.
Here are the files that I looked at, I am not sure if they are correctly configured and if there are others I should look at, thank you so much for your efforts:
- /etc/nsswitch.conf /etc/openldap/ldap.conf
- /etc/sssd/sssd.conf
- /etc/openldap/slapd.conf # It is deprecated for centos 7
- /etc/pam.d/system-auth
On Master:
/etc/nsswitch.conf
contains:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files
aliases: files nisplus
/etc/openldap/ldap.conf
contains:
BASE dc=example,dc=com
URI ldaps://provider.example.com
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
SASL_NOCANON on
/etc/sssd/sssd.conf
is empty on the server
/etc/pam.d/system-auth
contains:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
On the client:
/etc/nsswitch.conf
contains exactly as the server
/etc/openldap/ldap.conf
contains:
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldaps://provider.example.com:636
BASE dc=example,dc=com
/etc/sssd/sssd.conf
contains:
[domain/default]
autofs_provider = ldap
cache_credentials = False
ldap_search_base = dc=example,dc=com
krb5_server = #
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://provider.example.com:636
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
/etc/pam.d/system-auth
seems to contain what the server does with this extra entry:
session optional pam_sss.so
Best Answer
this works for me using sssd-ldap against a freeipa ldap server (not using the built-in idm provider but the sssd-ldap provider as asked).
authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
systemctl restart sssd
If you do not need binding to get the list of users remove the ldap_default_bind_dn, ldap_default_authtok_type and ldap_default_authtok directives. If you do not require tls, remove those but you are authenticating users, so it should be enabled. Modify the paths to the cacertdir and cacert directives to match your situation, as the user and group search base.
In this blog: http://www.couyon.net/blog/enabling-ldap-usergroup-support-and-authentication-in-centos-6 you will find a similar howto. The official Red Hat documantation is here: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html#Configuring_Domains-Configuring_a_Native_LDAP_Domain
As always, the proof is in the pudding: