OK, I fixed the ACLs (I think), but it is still not working. I turned on verbose debugging for sssd[pam] and moderate debugging for slapd.
Here are my ACLs in /etc/openldap/slapd.d/cn=config/olcDatabase={2}hdb.ldif:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn=uid=heller,ou=People,dc=deepsoft,dc=com write by * none olcAccess: {1}to * by dn=uid=heller,ou=People,dc=deepsoft,dc=com write by * read
There are also these olcAccess entries:
in /etc/openldap/slapd.d/cn=config/olcDatabase={0}config.ldif:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" manage by * none
and in /etc/openldap/slapd.d/cn=config/olcDatabase={1}monitor.ldif:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth" read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none
Here is sssd.conf:
[domain/default]
autofs_provider = ldap cache_credentials = True ldap_search_base = dc=deepsoft,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://192.168.250.98/ ldap_tls_cacertdir = /etc/openldap/cacerts ldap_id_use_start_tls = false [sssd] services = nss, pam, autofs
domains = default [nss] homedir_substring = /home
[pam] debug_level = 0x7770 ldap_id_use_start_tls = false
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
Here is the log output from /var/log/sssd/sssd_pam.log:
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_print_data] (0x0100): logon name: pcp (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/default/pcp@default] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_initgr_check_timeout] (0x4000): User [pcp] not found in PAM cache. (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x7ff2478e9030:3:pcp@default@default] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [default][0x3][BE_REQ_INITGROUPS][1][name=pcp@default:-] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x7ff248b52b10 (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7ff2478e9030:3:pcp@default@default] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x7ff248b52b10 (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x7ff248b435b0 (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [pcp@default] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7ff248b55910
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7ff248b559d0
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Running timer event 0x7ff248b55910 "ltdb_callback"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Destroying timer event 0x7ff248b559d0 "ltdb_timeout"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [ldb] (0x4000): Ending timer event 0x7ff248b55910 "ltdb_callback"
(Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/default/pcp] to negative cache (Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module. (Wed Sep 20 12:25:01 2017) [sssd[pam]] [pam_reply] (0x0200): blen: 8 (Wed Sep 20 12:25:01 2017) [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7ff2478e9030:3:pcp@default@default] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7ff248b499d0][23] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x7ff248b499d0][23] (Wed Sep 20 12:25:01 2017) [sssd[pam]] [client_recv] (0x0200): Client disconnected! (Wed Sep 20 12:25:01 2017) [sssd[pam]] [client_close_fn] (0x2000): Terminated client [0x7ff248b499d0][23]
and from slapd
● slapd.service - OpenLDAP Server Daemon Loaded: loaded (/usr/lib/systemd/system/slapd.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2017-09-20 10:02:58 EDT; 2h 25min ago Docs: man:slapd man:slapd-config man:slapd-hdb man:slapd-mdb file:///usr/share/doc/openldap-servers/guide.html Process: 26003 ExecStart=/usr/sbin/slapd -u ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS (code=exited, status=0/SUCCESS) Process: 25964 ExecStartPre=/usr/libexec/openldap/check-config.sh (code=exited, status=0/SUCCESS) Main PID: 26005 (slapd) CGroup: /system.slice/slapd.service └─26005 /usr/sbin/slapd -u ldap -h ldapi:/// ldap://127.0.0.1/ ldap://192.168.250.98/
Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SRCH base="dc=deepsoft,dc=com" scope=2 deref=0 filter="(&(uid=pcp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey mail Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=3 SEARCH RESULT tag=101 err=0 nentries=0 text= Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SRCH base="dc=deepsoft,dc=com" scope=2 deref=0 filter="(&(uid=pcp)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))" Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey mail Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: <= bdb_equality_candidates: (uid) not indexed Sep 20 12:28:01 c764guest.deepsoft.com slapd[26005]: conn=1092 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text=
At this point I am totally stuck.
At Robert Heller heller@deepsoft.com wrote:
At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?= clement.oudot@savoirfairelinux.com wrote:
Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit :
I am having a hard time setting a user password using ldap (OpenLDAP 2.4.40-13.el7) on a CentOS 7 system.
I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie=
nt),
nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have created a user in the ldap database, and getent works just fine -- the =
uid and
gid are seen, etc. But I cannot set the user's password in a way that w=
orks
for su (and presumably login/slogin, etc.). I am using ldappasswd to s=
et the
user's password.
I am thinking that PAM and ldappasswd are using *different* oneway encr=
yption
methods and I am guessing I need to update a configuration somewhere (e=
ither
for pam, sssd, or nslcd), but I am not finding it.
PAM is an LDAP client so does not read the password, it just sends BIND=20 requests and OpenLDAP server then check the passsword by using the=20 hashing method corresponding to the current password value.
Can you check in your server ACLs (olcAccess parameter) that anonymous=20 users have the 'auth' right on userPassword attribute?
OK, I will check...
--=20 Cl=C3=A9ment OUDOT Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9 Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot