On 2014-08-29 08:37, Mihamina Rakotomandimby wrote:> Hi all,
>
> On a C6 box, when I want to enable LDAP authentication, I issue:
>
> # yum -y install nss-pam-ldapd pam_ldap nscd
> # authconfig --enableldap --enableldapauth --enablemkhomedir \
> --ldapserver=ldap://ldap-blabla/ \
> --ldapbasedn="blabla" \
> --enablecache --disablefingerprint \
> --kickstart --update
>
> All is working fine, the directory structure is fine and compliant.
>
> What about C7?
>
> As far as I read,
> - there is a switch to "sssd"
> - I found 1 link:
> http://www.certdepot.net/ldap-client-configuration-authconfig/
>
> Is there something in particular I should pay attention for?
> Note that I have only GUI-less servers.
>
> Thank you.
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
sssd is a hard peace to configure. In C7 it wants absolutely to have an
encrypted connection to the LDAP server. Therefore, it must at least
have a valid CAcert at disposition. Also, the LDAP server itself must
have a valid CAcert (eventually the same as the sssd client) and a valid
server-certificate with the Common-Name of the host it runs on.
Follows our /etc/sssd/sssd.conf:
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com
ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_authtok = ********
cache_credentials = true
enumerate = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://casablanca.lan/
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
-------------------------------
In the /etc/nsswitch.conf you must have:
.....
passwd: files sss
shadow: files sss
group: files sss
.....
-------------------------------
sssd, in our config, logs into the /var/log/daemonlog
-------------------------------
you must have authconfig set-up as you said in your message.
-------------------------------
In case you see just "Unable to establish TLS connection" with the
LDAP
server from sssd then you may be better off to start sssd in debug mode:
sssd -d0x777 -i
In this debug you search for "Starting TLS".
Wishing you good luck
suomi