I am a very very old SuSE user and I have a very very small problem I have never had before:
I’ve installed a the new Opensuse 13.1 for a machine and I wanted to connect to our ldap-server to authenticate users and much more. So I started Yast, installed sssd and gave the required informations for ldap authentication ( server, basedn,etc ). We do not have ssl on the ldap server!
All went well: Yast installed the required software packages and said to use the new authentication feature it is better to restart the machine. I did it. After the restart the problems start:
I cannot log in on ttys and kdm login window with the ldap users. None of them.
If I log in as root and ask for a user with “id” it gaves back the correct datas for the specified user from ldap.
If I log in as root and make a “su” to a user existing in the ldap. It works great. It creates the necessary home directory too with the right permissions I’ve set up at install
I can search the database with various ldapsearch commands, so it seems that the server is available for this machine too.
I need pam_mount but I did not tried it at all…
I tried to drop sssd and installed nss_ldap and pam_ldap but they absolutelly do not work. I do not know why… If created /etc/ldap.conf file corresponding to old files on former suse installs. On the older machines the nss_ldap and pam_ldap work well ( relesases: 12.1, 11.3, 11.1 ). But 13.1 seems like ignoring pam_ldap.so lines in the pam file ( /etc/pam.d/… ) and a more weird behaviour is that the “id” command also does not work.
Can anyone know what happened with nss_ldap and pam_ldap in this new version?
Can anyone know why sssd does not work fully but half a way ( only “id” and “su” works )?
How can I get to a documentation in details ?
Is it a normal operation or is it a bug? If it will not work I have to change the distrib. Ubuntu works well with LDAP.
I have tried what vola wrote and it works! Here is the full list of steps ( it’s doesn’t matter if you installled sssd or not )
zypper install pam_ldap nss_ldap
edit /etc/ldap.conf for your needs. LDAP-server and its settings, etc.
same as vola’s 3rd row: “compat ldap” to passwd & group in /etc/nsswitch.conf
same as vola’s 2nd row: pam-config --add --ldap
same as vola’s 4th row: insert “session optional pam_mkhomedir.so umask=0077 skel=/etc/skel/” to the first line (of course after the comments) in /etc/pam.d/common-session
So it works well but there’s a problem: has someone meet the problem if one uses LDAP mozilla thunderbird crases at startup? The problem: Thunderbird uses the deprecated getpwent() function which will not give back any information anymore if one’s users are in the LDAP-database! If you run this command:
getent passwd | grep USERNAME >> /etc/passwd
Thunderbird starts to work again! HOW CAN I GET IT FIXED??? Why does Thunderbird require the user existence in /etc/passwd file???
I had a different problem with sssd and found your thread via search.
My problem was, that ldap users or groups did not show up with getent passwd or getent group.
Since this is my standard “it works” check I discarded sssd and went back to normal ldap.
Finally I found by chance that su works anyways and I had to switch on enumeration (via yast ldap client config or directly in /etc/sssd/sssd.conf) for getent to work.
I can report, that gdm or su login for ldap users works with sssd. If you want to try again and need a config example, let me know (but expect delays).