I'm trying to setup a vanilla installation of Fedora 13 to authenticate against an eDirectory server. We have this working on RHEL5 using nss_ldap and pam_ldap, but doing this same configuration on Fedora 13 did not work. So I'm now attempting the configuration using SSS. I used the graphical tools to setup the basics, then started editing /etc/sssd/sssd.conf to get the specifics right.
The directory server uses rfc2307bis groups. User DNs do not have memberOf attributes or any shadow or kerberos attributes. Kerberos is not available, LDAP is used for authentication. The SSSD client is sssd-1.2.1-15.fc13.x86_64. /etc/sssd/sssd.conf: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = CLEMSONU [nss] debug_level = 7 filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 1 entry_cache_nowait_timeout = 1 [pam] debug_level = 7 reconnection_retries = 3 [domain/CLEMSONU] debug_level = 20 enumerate = False cache_credentials = False id_provider = ldap auth_provider = ldap chpass_provider = none min_id = 1000 ldap_uri = ldaps://clemsonuldap.clemson.edu ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts tls_reqcert = demand ldap_default_bind_dn = cn=CoESProxy,ou=proxyUsers,o=CLEMSONU ldap_default_authtok_type = password ldap_default_authtok = xxxxxx ldap_schema = rfc2307bis ldap_search_base = ou=SoC,ou=CES,o=CLEMSONU ldap_user_search_base = o=CLEMSONU ldap_group_search_base = o=CLEMSONU ldap_user_shell = coesLoginShell ldap_user_gecos = fullName ldap_user_fullname = fullName ldap_pwd_policy = none nss_sss appears to be mostly functioning. "getent passwd sduckwo" works. "getent group xxxx" is flaky - the group name and GID are always found, but group members are only sometimes reported, with no rhyme or reason why they are or are not reported. For example: [r...@duck2 ~]# getent group coes_socunix coes_socunix:*:120105:sduckwo,duckwos,jdabney,mdabney The log shows: (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [be_get_account_info] (4): Got request for [4098][1][name=coes_socunix] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU]. (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [objectClass] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [cn] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [userPassword] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [member] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (8): ldap_search_ext called, msgid = 5 (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry] (9): OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU]. (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_done] (6): Search result: Success(0), (null) (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_process] (6): Search for groups, returned 1 results. (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: sh[0x1cf13c0], connected[1], ops[(nil)], ldap[0x1cca100] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8): Trace: ldap_result found nothing! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb transaction (nesting: 0) (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (7): Adding original DN [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to attributes of [coes_socunix]. (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (6): Storing info for group coes_socunix (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_groups_loop] (9): Group 0 processed! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (7): Adding member users to group [coes_socunix] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (9): [IPA or AD Schema] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #0 (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU): [name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #1 (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU): [name=duckwos,cn=users,cn=CLEMSONU,cn=sysdb] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #2 (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU): [name=jdabney,cn=users,cn=CLEMSONU,cn=sysdb] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #3 (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU): [name=mdabney,cn=users,cn=CLEMSONU,cn=sysdb] (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #4 (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #5 (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #6 (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done] (6): Error: Entry not Found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (7): member #7 (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found! (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (6): Storing members for group coes_socunix (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb transaction (nesting: 0) (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done] (9): Saving 1 Groups - Done (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success Members #4 - #7 were not found, even though they are valid user DNs. Any thoughts? Moving on... pam_sss does not appear to work. Here's some entries from the SSS log when trying to login to the system on the command-line: (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] (4): Executing simple bind as: cn=CoESProxy,ou=proxyUsers,o=CLEMSONU (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_done] (3): Bind result: Success(0), (null) (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6): calling ldap_search_ext with [(&(uid=sduckwo)(objectclass=posixAccount))][o=CLEMSONU]. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [objectClass] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [uid] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [userPassword] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [uidNumber] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [fullName] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [homeDirectory] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [coesLoginShell] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [krbPrincipalName] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [fullName] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [memberOf] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowLastChange] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowMin] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowMax] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowWarning] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowInactive] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowExpire] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [shadowFlag] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [krbLastPwdChange] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [krbPasswordExpiration] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7): Requesting attrs: [pwdAttribute] (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7): Adding original DN [cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU] to attributes of [sduckwo]. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7): Original memberOf is not available for [sduckwo]. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7): User principal is not available for [sduckwo]. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (6): Storing info for user sduckwo Up to here, everything looks good. It would be nice to not ask for all of the shadow and krb attributes since they don't exist in our directory, but no harm done. But then things start to go wrong: (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_process] (9): Process user's groups (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_initgr_nested_send] (4): User entry lacks original memberof ? (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_done] (9): Initgroups done (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4): Request processed. Returned 3,2,Init Groups Failed Our directory doesn't use the memberOf user attribute, it just uses rfc2307bis style groups (objectClass=posixUser, member=<user DN>). Then, here's where things really go awry: (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [find_password_expiration_attributes] (9): No password policy requested. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] (4): Executing simple bind as: cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (4): ldap_result gave -1, something bad happend! (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [auth_bind_user_done] (9): Found ppolicy data, assuming LDAP password policies are active. (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) [Internal Error (Interrupted system call)] "something bad happened" isn't very useful. And since SSS refuses to try and authenticate users without an encrypted connection, I can't easily use wireshark and friends to debug at the protocol level. While I could probably patch the source to print the actual LDAP error with ldap_err2string(), or maybe gdb the process and set a breakpoint when things go wrong to hopefully get some more useful information, this is beyond what I'd normally consider doing when deploying new software. Any suggestions? Moving on... We will need to dereference LDAP aliases but I have not yet been able to find a setting to enable this. I also have not found the equivalent of the pam_password_prohibit_message setting in /etc/ldap.conf; while not strictly required, it is nice to refer users to the proper way to change passwords in our environment. Any help would be appreciated. Thanks! Scott Duckworth, Systems Programmer II Clemson University School of Computing
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users