SSSD & LDAP authentication
Solution 1
ldap_id_use_start_tls = true
is definitely wrong.
In order to crypt your network traffic to LDAP you have to choices:
- Older SSL on port 636
- Newer StartTLS on port 389 (connection starts in plain then upgrades to TLS)
StartTLS
and SSL
are mutally exclusive.
Try removing the offending line.
Solution 2
ldap_access_filter
looks weird. Try without it.
Related videos on Youtube
jamesb7
Updated on September 18, 2022Comments
-
jamesb7 over 1 year
I’m currently working on deploying OpenLDAP and SSSD for authentication. When I try to
id
a user that is stored within LDAP I get the response no such user.The user has been added to LDAP correctly and I can perform an
ldapsearch –ZZ
and find the user.I have tried running
sssd –i –d9
and get the following response when trying toid
the user:[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:ldaptest@LDAP] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][4097][1][name=ldaptest] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:ldaptest@LDAP] [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xcfac90 [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=ldaptest] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x22db230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:ldaptest@LDAP] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22da6d0][20] [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'hostname' is 'name resolved' [sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'hostname' is 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' [sssd[be[LDAP]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) [sssd[be[LDAP]]] [be_mark_offline] (0x2000): Going offline! [sssd[be[LDAP]]] [be_ptask_create] (0x0400): Periodic task [Check if online (periodic)] was created [sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 78 seconds from now [1438098389] [sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xe6d960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0xe65230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
The hostname
hostname
resolves, the port 636 is definitely open (have turnediptables
off and also able totelnet
)The following is my
sssd
config file:[sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = root, ldap, named [pam] # LDAP domain [domain/LDAP] ldap_tls_reqcert = demand auth_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=test,dc=domain ldap_group_member = uniquemember id_provider = ldap ldap_id_use_start_tls = true chpass_provider = ldap ldap_uri = ldaps://hostname:636/ ldap_chpass_uri = ldaps://hostname:636/ cache_credentials = true ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_access_filter = (&(object)(object))
I have been unsuccessful in finding answers in Google. Any pointers towards a solution would be greatly appreciated.
Many Thanks.
-
ptman almost 8 yearsPlease add an example LDAP object in the question.
-