openldap Offline Authentication

sharfuddin · May 22, 2014, 4:18pm

Hello,

We are running a SLE(Desktop and Server) PoC. We installed the openldap server atop SLES 11 SP 3, and the SLED 11 SP 3 boxes are openldap clients. All is well except customer ask us to configure the Offline Authentication, which we are unable to find and configure yet.

Please help us find and configure the Offline Authentication of openldap client on SLED boxes.

Jens-U · May 22, 2014, 8:21pm

Hi sharfuddin,

please let me say first that I’m not running any SLED boxes, but SLES, Opensuse and some other distros.

What we’re doing in such cases is running an OpenLDAP server on the client system, replicating from the master server. Doesn’t cost much and is available all the time, from the client’s point of view.

If your SLED uses “sssd” (available as of SLED11SP2, if I got that right), there’s the option to enable offline credentials caching within sssd, which might be just what you’re looking for.

With regards,
Jens

sharfuddin · May 23, 2014, 12:54pm

Hello Jens,

Its an opportunity of 300 desktops, so I think it wont much sense to install and run openldap server on each desktop. Also thanks for recommending the “sssd”, which seems the solution, and I’ll update about my findings after playing with “sssd”.

sharfuddin · May 30, 2014, 6:24pm

installed the sssd, and configure the /etc/sssd/sssd.conf as below:

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://192.168.0.154
ldap_search_base = dc=digital,dc=local
enumerate = false
cache_credentials = true

Users cant login via GDM/GNOME when sled box is offline ;-(, but once I logged in locally as root on this sled box, and on terminal if I tries to logon as an openldap user(who has already logged in) it works, i.e openldap users then logon successfully.
So in a nutshell, offline authentication is working but not from GDM/GNOME. Please help me.

Lawrence1 · June 16, 2016, 2:14pm

Again, responding to an old post hoping the info will help someone.

The online or offline capabilities of the SSSD would not distinguish between authenticating a user in a terminal session or a GDM/GNOME session. The sssd.conf presented is very basic and should work, and since the root user and group are being filtered from the SSSD the pam_unix.so module will always be used to authenticate user root as you are observing.

Not knowing how you deployed the daemon I would first suspect something being off in the PAM configuration. I suspect that whatever is off with the configuration has to do with the pam_gnome_keyring.so module context within the PAM stack. Likely resulting in GDM/GNOME using the previous or local authentication method instead of handing off the authentication tasks to the SSSD.

The pam-config utility can be used post deployment to ensure the pam_sss.so module is in the proper context within the PAM stack and the system is a SSSD aware state post deployment:

pam-config --add --sss

Just to be complete, ensure the following is in place in the /etc/nsswitch.conf file:

passwd compat sss
group compat sss

Hoping it helps,

– lawrence

Topic		Replies	Views
upgrade from SLE 9 SP3 to 11 SP 3 - ldap server upgradation SLES Configure-Administer	4	179	June 16, 2014
SLE 12 and LDAP Authentication SLES Configure-Administer	6	235	June 16, 2016
LDAP User On SLED 12 Client Kick out after login SLED Configure-Administer	1	422	December 15, 2014
LDAP authentication SLES 15 SP3 SLES Configure-Administer	0	458	April 28, 2023
Authenting Users via AD SLES Networking	3	177	November 9, 2013

openldap Offline Authentication

Related Topics