PDA

View Full Version : openldap Offline Authentication



sharfuddin
22-May-2014, 14:18
Hello,

We are running a SLE(Desktop and Server) PoC. We installed the openldap server atop SLES 11 SP 3, and the SLED 11 SP 3 boxes are openldap clients. All is well except customer ask us to configure the Offline Authentication, which we are unable to find and configure yet.

Please help us find and configure the Offline Authentication of openldap client on SLED boxes.

jmozdzen
22-May-2014, 18:21
Hi sharfuddin,

please let me say first that I'm not running any SLED boxes, but SLES, Opensuse and some other distros.

What we're doing in such cases is running an OpenLDAP server on the client system, replicating from the master server. Doesn't cost much and is available all the time, from the client's point of view.

If your SLED uses "sssd" (available as of SLED11SP2, if I got that right), there's the option to enable offline credentials caching within sssd, which might be just what you're looking for.

With regards,
Jens

sharfuddin
23-May-2014, 10:54
Hello Jens,

Its an opportunity of 300 desktops, so I think it wont much sense to install and run openldap server on each desktop. Also thanks for recommending the "sssd", which seems the solution, and I'll update about my findings after playing with "sssd".

sharfuddin
30-May-2014, 16:24
installed the sssd, and configure the /etc/sssd/sssd.conf as below:


[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://192.168.0.154
ldap_search_base = dc=digital,dc=local
enumerate = false
cache_credentials = true


Users cant login via GDM/GNOME when sled box is offline ;-(, but once I logged in locally as root on this sled box, and on terminal if I tries to logon as an openldap user(who has already logged in) it works, i.e openldap users then logon successfully.
So in a nutshell, offline authentication is working but not from GDM/GNOME. Please help me.

hangarbait
16-Jun-2016, 12:14
Again, responding to an old post hoping the info will help someone.

The online or offline capabilities of the SSSD would not distinguish between authenticating a user in a terminal session or a GDM/GNOME session. The sssd.conf presented is very basic and should work, and since the root user and group are being filtered from the SSSD the pam_unix.so module will always be used to authenticate user root as you are observing.

Not knowing how you deployed the daemon I would first suspect something being off in the PAM configuration. I suspect that whatever is off with the configuration has to do with the pam_gnome_keyring.so module context within the PAM stack. Likely resulting in GDM/GNOME using the previous or local authentication method instead of handing off the authentication tasks to the SSSD.

The pam-config utility can be used post deployment to ensure the pam_sss.so module is in the proper context within the PAM stack and the system is a SSSD aware state post deployment:

pam-config --add --sss

Just to be complete, ensure the following is in place in the /etc/nsswitch.conf file:

passwd compat sss
group compat sss


Hoping it helps,

-- lawrence