0

I am migrating a sealed MSA from using pam_ldap to pam_sss (sssd-ldap). However, pam_sss seems to have having trouble authenticating users without uidNumbers. I had thought changing ldap_user_object_class from posixAccount to top would fix this, but it has not. Users with uidNumbers seem to be fine. While it is to be expected that sssd would require uidNumbers for nss, I do not see why they would be necessary for pam.

syslog facility auth:

Aug  6 11:23:03 centos7-msa-test saslauthd[644]: pam_sss(smtp:auth): received for user non-posix-user: 10 (User not known to the underlying authentication module)

# cat /etc/pam.d/smtp
#%PAM-1.0
auth    sufficient  pam_sss.so
account sufficient  pam_sss.so

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = pam
domains = example.com-ldap
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/example.com-ldap]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com, _srv_
ldap_user_object_class = top
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

$ ldapsearch -ZZ -h ldap.example.com -b ou=users,dc=example,dc=com -s one"(&(uid=non-posix-user)(objectClass=top))"
dn: uid=non-posix-user
objectClass: organizationalRole
objectClass: inetLocalMailRecipient
objectClass: simpleSecurityObject
objectClass: uidObject
cn: non-posix-user
mailLocalAddress: non-posix-user@example.com
mailRoutingAddress: non-posix-users@example.com
mailHost: mailstore.example.com
roleOccupant: uid=posixuser1,ou=users,dc=example,dc=com
roleOccupant: uid=posixuser2,ou=users,dc=example,dc=com
userPassword:: e1NBU0x9bm9uLXBvc2l4LXVzZXJARVhBTVBMRS5DT00K
uid: non-posix-user
84104
  • 12,905
  • 6
  • 45
  • 76

1 Answers1

1

At the moment, SSSD only handles system users, that is, users with IDs. The ID can either be defined in LDAP directly or derived from SID.

Your use-case is not supported by SSSD at the moment, sorry.

jhrozek
  • 1,370
  • 6
  • 5