LDAP Client Authentication using SSSD: Groups issue

ldap authentication openldap 389-ds sssd
21,357

Finally I was able to resolve it. This article helped me a lot.

Here is what I did. On SSSD side everything was configured fine, however, I did not configure the LDAP side. In order to Unix users (posix users) to work properly, we have to create posix groups and assign appropriate values.

For for each user, apart from assigning posix group ID and User ID, you need to attach them to a posix group as well. You can add this from 389 admin console as well. While creating group just click on the "posix group" section. Or from command prompt use this article

Share:
21,357

Related videos on Youtube

chandank
Author by

chandank

Updated on September 18, 2022

Comments

  • chandank
    chandank over 1 year

    I have been able to setup 389 LDAP server and SSSD client authentication. However, whenever I login using ldap user after each login it displays the error 

    ttt@dsl's password: 
Last login: Thu Dec  6 12:52:06 2012
id: cannot find name for group ID 6006

    I tried with multiple different users and multiple types. I am using Centos 6 on both server and client side. getent shadow does not return ldap users and this feature request have been denied by Redhat.https://bugzilla.redhat.com/show_bug.cgi?id=751291.

    Or shall I switch back to nss_ldap/pam_ldap, but I may not get password caching that sssd provides.

    Update:

    root@dsl etc]# cat /etc/sssd/sssd.conf 
[domain/default]
ldap_tls_reqcert = never
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ma,dc=net
#krb5_realm = EXAMPLE.COM
#krb5_server = kerberos.example.com
ldap_group_member = uniquemember
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.ma.net
ldap_tls_cacertdir = /etc/openldap/cacerts
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
enumerate = false
[sssd]
services = nss, pam
config_file_version = 2

#domains = LDAP
domains = 
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[sudo]

[autofs]

[ssh]

[root@dsl etc]#

    After login as user I can successfully execute id command, still wondering why it always says no such group.

    [root@ldap02 ~]# ssh ttt@dsl
ttt@dsl's password: 
Last login: Thu Dec  6 13:18:16 2012 from 10.2.3.69
id: cannot find name for group ID 6006
[ttt@dsl ~]$ id ttt
uid=6006(ttt) gid=6006 groups=6006

    Also

    [root@dsl ~]# groups ttt
ttt : groups: cannot find name for group ID 6006
6006
[root@dsl ~]# groups ttt
    • Admin
      Admin over 11 years
      Your question is missing the following ingredients: full sssd.conf, relevant logfile entries and a mention of whether there even is a group with GID 6006 or not and whether your LDAP user is part of it or not.
    • Admin
      Admin over 11 years
      updated the question. Many cases if I post a question I get the answer by myself by evening but I guess this question has to wait
  • daff
    daff over 11 years
    Really? You wanted to do (PAM) authentication against an LDAP user database without even having a complete LDAP user database? :)
  • chandank
    chandank over 11 years
    Yes it may sound strange to you, but I guess for someone who has no idea about Ldap and how it handles the user management for Unix, it was really difficult. I never though a ldap server designed on/for Linux would keep Linux user mgm so cryptic for a new user. I understand your point as now I think that was a trivial approach but at the same time I know how a newbie feels when he/she does not find a single reference of this in whole Manual.
  • chandank
    chandank over 11 years
    I wonder if you could help me with how I could manage certs of two LDAP servers (failover server) on the client side. I did copy both certs on cacertd dir pointed by sssd and ldap.conf but it does not seems to work. Does these certs need to be in some format ?
  • daff
    daff over 11 years
    I think you should post a separate question about your certificate issues, should be fairly straightforward to answer. As for LDAP as a user database and authentication in general: of course it is difficult and non-trivial to get working, but there is much documentation and quite a few books out there that also teach the basics. The Ubuntu Server Guide contains useful information, as does the Red Hat documentation. And although a bit dated now, this book also helped me a lot.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

SSSD rejects LDAP login with su: incorrect password
SSSD & LDAP authentication
Where do I specify the Bind DN and password for sss+ldap?
Allowing LDAP users to change password
Open LDAP Authentication - How to verify userPassword without bind?
Find users currently logged in using ldap?
How to only allow users and/or groups access certain client machines that are connected to an openldap server?
What is my BaseDN supposed to be with the following configuration of OpenLDAP?
OpenLDAP Password Expiration with pwdReset=TRUE?
How to change expired LDAP user password under linux?