I am migrating a sealed MSA from using pam_ldap
to pam_sss
(sssd-ldap). However, pam_sss seems to have having trouble authenticating users without uidNumbers
. I had thought changing ldap_user_object_class
from posixAccount
to top
would fix this, but it has not. Users with uidNumbers seem to be fine. While it is to be expected that sssd would require uidNumbers for nss
, I do not see why they would be necessary for pam
.
syslog facility auth:
Aug 6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module)
# cat /etc/pam.d/smtp
#%PAM-1.0
auth sufficient pam_sss.so
account sufficient pam_sss.so
# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = example.com-ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com-ldap]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com, _srv_
ldap_user_object_class = top
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt
$ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))"
dn: uid=non-posix-user
objectClass: organizationalRole
objectClass: inetLocalMailRecipient
objectClass: simpleSecurityObject
objectClass: uidObject
cn: non-posix-user
mailLocalAddress: non-posix-user@example.com
mailRoutingAddress: non-posix-users@example.com
mailHost: mailstore.example.com
roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com
roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com
userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K
uid: non-posix-user