openldap why am I not able to id the user account?

thistleknot

2/16/23, 3:14 PM

I followed this openldap guide

https://kifarunix.com/install-and-setup-openldap-on-rocky-linux-8/

Got it all working up until I try to id the user on the client (following this guide: https://kifarunix.com/configure-sssd-for-ldap-authentication-on-rocky-linux-8/)

I get a message about "no such user"

The openldap tutorial lists the objectClass for users.ldif

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount

and I've noticed other sites use

objectClass: account

(see: https://www.thegeekstuff.com/2015/02/openldap-add-users-groups/ & https://forums.centos.org/viewtopic.php?t=54808)

I've tried it both ways (and even tried including both)

I can do an ldapsearch from the client to the server and query any of those objectClass's

I'm not sure what I'm missing.

I checked my nsswitch.conf and ensured sss was before files for passwd

0 + 0

openldap

kofemann

2/16/23, 10:37 PM

Check that the user is allowed in */etc/security/access.conf*

Score:0

Server

thistleknot

2/20/23, 10:20 PM

I did basic testing and disabled TLS.

My issue was likely in the SSSD.conf and not having the right objectClass as well as matching DN, CN, and OU's

Server

#https://www.server-world.info/en/note?os=CentOS_7&p=openldap
yum -y install openldap-servers openldap-clients firewalld mlocate man --nobest
updatedb
cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG 
chown ldap. /var/lib/ldap/DB_CONFIG 
systemctl start slapd 
systemctl enable slapd
cat <<EOF > chrootpw.ldif 
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234
EOF
ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif 
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgperson.ldif
cat <<EOF > chdomain.ldif
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
  read by dn.base="cn=Manager,dc=srv,dc=world" read by * none

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=srv,dc=world

dn: olcDatabase={2}mdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=srv,dc=world

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: 1234

dn: olcDatabase={2}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
  dn="cn=Manager,dc=srv,dc=world" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=srv,dc=world" write by * read
EOF
ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
cat <<EOF > basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section

dn: dc=srv,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Srv

dn: cn=Manager,dc=srv,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager

dn: ou=Users,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Users

dn: ou=Groups,dc=srv,dc=world
objectClass: organizationalUnit
objectClass: top
ou: Groups

EOF
ldapadd -x -w 1234 -D cn=Manager,dc=srv,dc=world -f basedomain.ldif
systemctl start firewalld
systemctl enable firewalld
firewall-cmd --add-service=ldap --permanent 
firewall-cmd --reload

cat <<EOF > adam.ldif
dn: uid=adam,ou=Users,dc=srv,dc=world
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: 1234
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
EOF
ldapadd -x -w 1234 -D "cn=Manager,dc=srv,dc=world" -f adam.ldif
ldappasswd -s 1234 -w 1234 -D "cn=Manager,dc=srv,dc=world" -x "uid=adam,ou=Users,dc=srv,dc=world"

SSSD.conf [client]

cat <<EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=srv,dc=world
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster
ldap_default_bind_dn = cn=Manager,dc=srv,dc=world
#ldap_default_authtok_type = password
ldap_default_authtok = 1234
#ldap_user_search_base = CN=Users,DC=srv,DC=world
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/pki/tls/cacert.crt
#ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
#ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=ldapmaster,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOF

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: openldap why am I not able to id the user account?

TH: openldap เหตุใดฉันจึงไม่สามารถระบุรหัสบัญชีผู้ใช้ได้

RO: openldap de ce nu pot identifica contul de utilizator?

RU: openldap, почему я не могу идентифицировать учетную запись пользователя?

VI: openldap tại sao tôi không thể id tài khoản người dùng?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.