ldap ssh
by lelunicu from LinuxQuestions.org on (#4VN2V)
hi,
i am not able to login with ssh using cent ldap user-i can su - cent.
ssh cent@192.168.30.128
cent@192.168.30.128's password:
Permission denied, please try again.
In 192.168.30.128 i setup ldap server and client.
id cent
uid=1000(cent) gid=1000(Cent) groups=1000(Cent),1070(cent54 nou)
more /etc/sssd/sssd.conf
[domain/example.com]
autofs_provider = ldap
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.30.128/
ldap_id_use_start_tls = False
cache_credentials = False
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_chpass_uri = ldap://192.168.30.128
ldap_auth_uri = ldap://192.168.30.128
ldap_id_use_start_tls = False
#ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = simple
simple_allow_users = cent
simple_allow_groups = Cent
[sssd]
config_file_version = 2
#reconnection_retries = 3
#sbus_timeout = 30
services = nss, pam, autofs
domains = default, example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
reconnection_retries = 3
offline_failed_login_delay = 5
[autofs]
more /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#URI ldap://192.168.30.128/
#BASE dc=example,dc=com
SASL_NOCANON on
URI ldap://192.168.30.128/
BASE dc=example,dc=com
more /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 q
uiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 q
uiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
ou: people
dn: uid=cent,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
uid: cent
userPassword:: e1NIQX00VVoycnNBZ2FkVkVhamJDdUZqTTZaUit6a009IA==
dn: cn=cent,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
dn: cn=cent54 nou,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Cent57
cn: cent54 nou
gidNumber: 1070
memberUid: cent
i am not able to login with ssh using cent ldap user-i can su - cent.
ssh cent@192.168.30.128
cent@192.168.30.128's password:
Permission denied, please try again.
In 192.168.30.128 i setup ldap server and client.
id cent
uid=1000(cent) gid=1000(Cent) groups=1000(Cent),1070(cent54 nou)
more /etc/sssd/sssd.conf
[domain/example.com]
autofs_provider = ldap
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://192.168.30.128/
ldap_id_use_start_tls = False
cache_credentials = False
#ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_chpass_uri = ldap://192.168.30.128
ldap_auth_uri = ldap://192.168.30.128
ldap_id_use_start_tls = False
#ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = simple
simple_allow_users = cent
simple_allow_groups = Cent
[sssd]
config_file_version = 2
#reconnection_retries = 3
#sbus_timeout = 30
services = nss, pam, autofs
domains = default, example.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
reconnection_retries = 3
offline_failed_login_delay = 5
[autofs]
more /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
#URI ldap://192.168.30.128/
#BASE dc=example,dc=com
SASL_NOCANON on
URI ldap://192.168.30.128/
BASE dc=example,dc=com
more /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 q
uiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
more /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 q
uiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry
password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet
use_uid
session required pam_unix.so
session optional pam_sss.so
ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
dc: example
o: example
dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups
ou: people
dn: uid=cent,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
uid: cent
userPassword:: e1NIQX00VVoycnNBZ2FkVkVhamJDdUZqTTZaUit6a009IA==
dn: cn=cent,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
dn: cn=cent54 nou,ou=groups,dc=example,dc=com
objectClass: posixGroup
cn: Cent57
cn: cent54 nou
gidNumber: 1070
memberUid: cent