Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED]sssd UNABLE to get users from gentoo openldap server
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
alamahant
Apprentice
Apprentice


Joined: 23 Mar 2019
Posts: 262

PostPosted: Sun Dec 15, 2019 8:55 pm    Post subject: [SOLVED]sssd UNABLE to get users from gentoo openldap server Reply with quote

Hi Guys,
Although I can network authenticate against a centos or debian openldap server I seem to be stuck with a gentoo openldap server and a gentoo sssd client unwilling to communicate to each other for some obscure reason.
It used to work in the past but NOT anymore.
Here is my server slapd.conf
Code:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/inetorgperson.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /run/openldap/slapd.pid
argsfile        /run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/lib64/openldap/openldap
# moduleload    back_sock.so
# moduleload    back_shell.so
# moduleload    back_relay.so
# moduleload    back_passwd.so
# moduleload    back_null.so
# moduleload    back_monitor.so
# moduleload    back_meta.so
moduleload      back_mdb.so
# moduleload    back_ldap.so
# moduleload    back_dnssrv.so


access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to *
        by self write
        by users read
        by anonymous auth


#######################################################################
# BDB database definitions
#######################################################################

database        mdb
suffix          "dc=dharma,dc=maya"
maxsize 10485760
checkpoint      32      30
rootdn          "cn=Manager,dc=dharma,dc=maya"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          {SSHA}8NcrxXVRv1bmu//08Q5GZsVUULqRi8vP
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/openldap-data
# Indices to maintain
index   objectClass     eq
index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq


TLSCertificateFile /etc/openldap/certs/server.crt
TLSCertificateKeyFile /etc/openldap/certs/server.key
TLSCACertificateFile /etc/openldap/certs/ca-certificates.crt

My client sssd.conf:
Code:

[domain/default]

autofs_provider = ldap
cache_credentials = True
krb5_kpasswd = gentoo.dharma.maya
ldap_search_base = dc=dharma,dc=maya
krb5_server = gentoo.dharma.maya
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
krb5_store_password_if_offline = True
ldap_uri = ldap://gentoo.dharma.maya/
krb5_realm = DHARMA.MAYA
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_cacert = /etc/openldap/certs/ca-certificates.crt
ldap_tls_reqcert = never

[sssd]
services = nss, pam, autofs

domains = default
[nss]
homedir_substring = /home

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

[secrets]

[session_recording]


My client nsswitch.conf:
Code:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
#

passwd:         db files sss
group:          db files sss
initgroups:     db [SUCCESS=continue] files
shadow:         db files sss
gshadow:        files

hosts:          files dns
networks:       files dns

protocols:      db files
services:       db files sss
ethers:         db files
rpc:            db files

netgroup:       db files sss
#automount:  files sss
#sudoers:    files sss

and my client system-auth:
Code:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass                                         #
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so                         #
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok                                            #
password    required      pam_deny.so

session     required      pam_mkhomedir.so skel=/etc/skel/ umask=0077
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so                                                        #

and my krb5.conf(in both server and client):
Code:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
pkinit_anchors = /etc/ssl/certs/ca-certificates.crt
 default_realm = DHARMA.MAYA
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 DHARMA.MAYA = {
  kdc = gentoo.dharma.maya
  admin_server = gentoo.dharma.maya
 }

[domain_realm]
 .dharma.maya = DHARMA.MAYA
 dharma.maya = DHARMA.MAYA




Mind you using this gentoo client i CAN authenticate ldap users against centos or debian ldap servers but NOT my gentoo....
I guess the probelm is in the gentoo ldap server configuration.Somehow sssd asks the wrong way and ldap answers the wrong way.
Otherwise the ldap works normaly i can do ldap searches both using ldap:/// and ldaps:///.
And kerberos works just fine..........
Any ideas ???
:D


Last edited by alamahant on Mon Dec 16, 2019 9:32 pm; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Apprentice
Apprentice


Joined: 23 Mar 2019
Posts: 262

PostPosted: Mon Dec 16, 2019 9:31 pm    Post subject: Reply with quote

I did it somehow.
I used slapd.d instead of slapd.conf.
I started slapd with a minimal generic slapd.conf thus:
Code:

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include      /etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral   ldap://root.openldap.org

pidfile      /run/openldap/slapd.pid
argsfile   /run/openldap/slapd.args

# Load dynamic backend modules:
modulepath   /usr/lib64/openldap/openldap
# moduleload   back_sock.so
# moduleload   back_shell.so
# moduleload   back_relay.so
moduleload   back_passwd.so
# moduleload   back_null.so
moduleload   back_monitor.so
# moduleload   back_meta.so
moduleload   back_mdb.so
# moduleload   back_ldap.so
# moduleload   back_dnssrv.so
moduleload   pw-kerberos.so

# Sample security restrictions
#   Require integrity protection (prevent hijacking)
#   Require 112-bit (3DES or better) encryption for updates
#   Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#   Root DSE: allow anyone to read it
#   Subschema (sub)entry DSE: allow anyone to read it
#   Other DSEs:
#      Allow self write access
#      Allow authenticated users read access
#      Allow anonymous users to authenticate
#   Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#   by self write
#   by users read
#   by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################
database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none


database   mdb
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none
suffix      "dc=my-domain,dc=com"
maxsize 10485760
checkpoint   32   30
rootdn      "cn=Manager,dc=my-domain,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw      secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory   /var/lib/openldap-data
# Indices to maintain
index   objectClass   eq
index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq

Then i transformed it from slapd.conf to slapd.d using:
Quote:
slaptest -f slapd.conf -F slapd.d/

Modified /etc/conf.d/slapd to reflect the cn=config modus operandi and
then I only used ldifs to import the rest od the scheme to assign a root pw to change the domain,to assign acls to the config,monitor and mdb databases,to add the DIT and finally to configure SSL.
I dont know if it was the fact of this cn=config kind of configuration or that I added the monitor and kerberos modules but now.......
IT WORKS!!!...
I cant help but wonder how many peple are there who truly understand ldap???
Maybe 5?????
Its a tough cookie,especially the olc mode.
Anyway Thanks Guys
:D
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum