SSSD & LDAP authentication
12,202
Solution 1
ldap_id_use_start_tls = true
is definitely wrong.
In order to crypt your network traffic to LDAP you have to choices:
- Older SSL on port 636
- Newer StartTLS on port 389 (connection starts in plain then upgrades to TLS)
StartTLS and SSL are mutally exclusive.
Try removing the offending line.
Solution 2
ldap_access_filter looks weird. Try without it.
Related videos on Youtube
01 : 29
Unix & Linux: SSSD LDAP authentication using two different LDAP servers
11 : 07
Configure LDAP and Autofs for Login Authentication and Home Directory Mapping
01 : 53
SSSD LDAP authentication using two different LDAP servers (2 Solutions!!)
32 : 31
SSSD: From an LDAP client to the System Security Services Daemon
42 : 47
jhrozek: SSSD: More than an LDAP client
06 : 08
Connecting to an External LDAP Server SSSD on RHEL7
13 : 17
How To Configure LDAP Client & Authenticate to LDAP Server On RHEL 8 (RHCSA 8, LESSON 23B)
Author by
jamesb7
Updated on September 18, 2022Comments
-
jamesb7 over 1 year
I’m currently working on deploying OpenLDAP and SSSD for authentication. When I try to
ida user that is stored within LDAP I get the response no such user.The user has been added to LDAP correctly and I can perform an
ldapsearch –ZZand find the user.I have tried running
sssd –i –d9and get the following response when trying toidthe user:[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:ldaptest@LDAP] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][4097][1][name=ldaptest] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:ldaptest@LDAP] [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xcfac90 [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=ldaptest] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x22db230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:ldaptest@LDAP] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22da6d0][20] [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'hostname' is 'name resolved' [sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'hostname' is 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' [sssd[be[LDAP]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) [sssd[be[LDAP]]] [be_mark_offline] (0x2000): Going offline! [sssd[be[LDAP]]] [be_ptask_create] (0x0400): Periodic task [Check if online (periodic)] was created [sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 78 seconds from now [1438098389] [sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xe6d960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0xe65230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data ProviderThe hostname
hostnameresolves, the port 636 is definitely open (have turnediptablesoff and also able totelnet)The following is my
sssdconfig file:[sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = root, ldap, named [pam] # LDAP domain [domain/LDAP] ldap_tls_reqcert = demand auth_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=test,dc=domain ldap_group_member = uniquemember id_provider = ldap ldap_id_use_start_tls = true chpass_provider = ldap ldap_uri = ldaps://hostname:636/ ldap_chpass_uri = ldaps://hostname:636/ cache_credentials = true ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_access_filter = (&(object)(object))I have been unsuccessful in finding answers in Google. Any pointers towards a solution would be greatly appreciated.
Many Thanks.
-
ptman almost 8 yearsPlease add an example LDAP object in the question.
-
