Hi!
I discovered an odd problem: If a user logs in on some clients, the OpenLDAP 2.5 server does not update authTimestamp, while on other clients the timestamp is updated (and synchronized across all servers). All clients use the same OS (SLES15) and sssd. The only difference I could find was the order of modules: services = pam,nss vs. services = nss, pam
Sections for [pam] and [nss] are both empty. Caching credentials is disabled ("false") also. I thought if sssd authenticates using the OpenLDAP server, the server itself would update the authTimestamp.
Can anybody enlighten me (e.g. how to debug)?
Kind regards, Ulrich Windl
Windl, Ulrich wrote:
Hi!
I discovered an odd problem:
If a user logs in on some clients, the OpenLDAP 2.5 server does not update authTimestamp, while on other clients the timestamp is updated (and synchronized across all servers).
All clients use the same OS (SLES15) and sssd.
The only difference I could find was the order of modules:
services = pam,nss
vs.
services = nss, pam
And that alone should have triggered massive red flags in your mind.
Sections for [pam] and [nss] are both empty.
Caching credentials is disabled (false) also.
I thought if sssd authenticates using the OpenLDAP server, the server itself would update the authTimestamp.
Can anybody enlighten me (e.g. how to debug)?
Set all the machines to a consistent configuration. You should be using
services = pam,nss
Otherwise sssd merely reads userPassword attributes from nss and performs authentication by itself.
openldap-technical@openldap.org
-
Howard Chu -
Windl, Ulrich