Opensuse 13.1 - Cannot login with LDAP user as a client

Hi All!

I am a very very old SuSE user and I have a very very small problem I have never had before:

I’ve installed a the new Opensuse 13.1 for a machine and I wanted to connect to our ldap-server to authenticate users and much more. So I started Yast, installed sssd and gave the required informations for ldap authentication ( server, basedn,etc ). We do not have ssl on the ldap server!

All went well: Yast installed the required software packages and said to use the new authentication feature it is better to restart the machine. I did it. After the restart the problems start:

  • I cannot log in on ttys and kdm login window with the ldap users. None of them.
  • If I log in as root and ask for a user with “id” it gaves back the correct datas for the specified user from ldap.
  • If I log in as root and make a “su” to a user existing in the ldap. It works great. It creates the necessary home directory too with the right permissions I’ve set up at install
  • I can search the database with various ldapsearch commands, so it seems that the server is available for this machine too.
  • I need pam_mount but I did not tried it at all…

I tried to drop sssd and installed nss_ldap and pam_ldap but they absolutelly do not work. I do not know why… If created /etc/ldap.conf file corresponding to old files on former suse installs. On the older machines the nss_ldap and pam_ldap work well ( relesases: 12.1, 11.3, 11.1 ). But 13.1 seems like ignoring pam_ldap.so lines in the pam file ( /etc/pam.d/… ) and a more weird behaviour is that the “id” command also does not work.

  • Can anyone know what happened with nss_ldap and pam_ldap in this new version?
  • Can anyone know why sssd does not work fully but half a way ( only “id” and “su” works )?
  • How can I get to a documentation in details ?
  • Is it a normal operation or is it a bug? If it will not work I have to change the distrib. Ubuntu works well with LDAP.

Thanks in advance,
János

Same problem here, did you find any solution?

Ohh, I just forgot install the nss_ldap package… :slight_smile:

Everything works well for me. I followed this steps:

  1. cat old ldap.conf > /etc/ldap.conf
  2. pam-config --add --ldap
  3. “compat ldap” to passwd & group in /etc/nsswitch.conf
  4. insert “session optional pam_mkhomedir.so umask=0077 skel=/etc/skel/” to the first line (of course after the comments) in /etc/pam.d/common-session

nscd
getent passwd

Voálá! :smiley:

I have some issues on KDE gui, but I think I will fix that in a few minutes.

OOOOOPS! I’ll try this! Thanks. But I1ve installed nss_ldap beside the pam_ldap package… The steps you write missing at my side.
Thanks

If it helps or not I’ll reflect!

János

Dear ALL!

I have tried what vola wrote and it works! Here is the full list of steps ( it’s doesn’t matter if you installled sssd or not )

  1. zypper install pam_ldap nss_ldap
  2. edit /etc/ldap.conf for your needs. LDAP-server and its settings, etc.
  3. same as vola’s 3rd row: “compat ldap” to passwd & group in /etc/nsswitch.conf
  4. same as vola’s 2nd row: pam-config --add --ldap
  5. same as vola’s 4th row: insert “session optional pam_mkhomedir.so umask=0077 skel=/etc/skel/” to the first line (of course after the comments) in /etc/pam.d/common-session

So it works well but there’s a problem: has someone meet the problem if one uses LDAP mozilla thunderbird crases at startup? The problem: Thunderbird uses the deprecated getpwent() function which will not give back any information anymore if one’s users are in the LDAP-database! If you run this command:

getent passwd | grep USERNAME >> /etc/passwd

Thunderbird starts to work again! HOW CAN I GET IT FIXED??? Why does Thunderbird require the user existence in /etc/passwd file???

Thanks,
János

I found a solution to this Thunderbird problem in a Bugzilla ticket:

ln -s /usr/lib64/libldap-2.4.so.2.8.5 /usr/lib64/thunderbirdlibldap60.so (the first version number can be different)

Here is the full topic: https://bugzilla.mozilla.org/show_bug.cgi?id=708222
Comment 7 and 8 gave me the idea.

But after an thunderbird update this change can be lost… or you can write a cronjob to be sure this soft link remains after every reboot! :slight_smile:

Thank you!
I’ll try this as soos as possible!

Dear Vola!

It is fantastic! It works! Here is the full list anyone has to do if has got this idiotic situation:

  1. Rename the “real” /usr/lib/thunderbird/libldap60.so file to /usr/lib64/thunderbird/libldap60.so.ori or any name you want
  2. Make the link Vola mentioned… ln -s /usr/lib64/libldap-2.4.so.2.8.5 /usr/lib64/thunderbird
  3. Start Thunderbird. You made it!!!

It is absolutely unbelievable that this problem has been living for long long years. I cannot belive it couldn’t be fixed for years…

Thanks a lot, Vola!
János

Hi,

I had a different problem with sssd and found your thread via search.

My problem was, that ldap users or groups did not show up with getent passwd or getent group.
Since this is my standard “it works” check I discarded sssd and went back to normal ldap.

Finally I found by chance that su works anyways and I had to switch on enumeration (via yast ldap client config or directly in /etc/sssd/sssd.conf) for getent to work.

I can report, that gdm or su login for ldap users works with sssd. If you want to try again and need a config example, let me know (but expect delays).

Would you be so nice to share your config for ldap+sssd ? Still struggling to make it work.

Hi, would you be able to show an example of SSSD? I am particularly interested in using eDirectory as the LDAP store.