Scott Duckworth wrote: > I'm trying to setup a vanilla installation of Fedora 13 to > authenticate against an eDirectory server. We have this working on > RHEL5 using nss_ldap and pam_ldap, but doing this same configuration > on Fedora 13 did not work. So I'm now attempting the configuration > using SSS. I used the graphical tools to setup the basics, then > started editing /etc/sssd/sssd.conf to get the specifics right. > > The directory server uses rfc2307bis groups. User DNs do not have > memberOf attributes or any shadow or kerberos attributes. Kerberos is > not available, LDAP is used for authentication. > > The SSSD client is sssd-1.2.1-15.fc13.x86_64. > > /etc/sssd/sssd.conf: > [sssd] > config_file_version = 2 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = CLEMSONU > [nss] > debug_level = 7 > filter_groups = root > filter_users = root > reconnection_retries = 3 > entry_cache_timeout = 1 > entry_cache_nowait_timeout = 1 > [pam] > debug_level = 7 > reconnection_retries = 3 > [domain/CLEMSONU] > debug_level = 20 > enumerate = False > cache_credentials = False > id_provider = ldap > auth_provider = ldap Try adding here
ldap_schema = rfc2307bis > chpass_provider = none > min_id = 1000 > ldap_uri = ldaps://clemsonuldap.clemson.edu > <http://clemsonuldap.clemson.edu> > ldap_id_use_start_tls = False > ldap_tls_cacertdir = /etc/openldap/cacerts > tls_reqcert = demand > ldap_default_bind_dn = cn=CoESProxy,ou=proxyUsers,o=CLEMSONU > ldap_default_authtok_type = password > ldap_default_authtok = xxxxxx > ldap_schema = rfc2307bis > ldap_search_base = ou=SoC,ou=CES,o=CLEMSONU > ldap_user_search_base = o=CLEMSONU > ldap_group_search_base = o=CLEMSONU > ldap_user_shell = coesLoginShell > ldap_user_gecos = fullName > ldap_user_fullname = fullName > ldap_pwd_policy = none > > nss_sss appears to be mostly functioning. "getent passwd sduckwo" > works. "getent group xxxx" is flaky - the group name and GID are > always found, but group members are only sometimes reported, with no > rhyme or reason why they are or are not reported. For example: > > [r...@duck2 ~]# getent group coes_socunix > coes_socunix:*:120105:sduckwo,duckwos,jdabney,mdabney > > The log shows: > > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [be_get_account_info] > (4): Got request for [4098][1][name=coes_socunix] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (6): calling ldap_search_ext with > [(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU]. > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [objectClass] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [cn] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [userPassword] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [member] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (8): ldap_search_ext called, msgid = 5 > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] > (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry] > (9): OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU]. > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] > (8): Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_done] (6): Search result: Success(0), (null) > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_get_groups_process] (6): Search for groups, returned 1 results. > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] > (8): Trace: sh[0x1cf13c0], connected[1], ops[(nil)], ldap[0x1cca100] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] > (8): Trace: ldap_result found nothing! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb > transaction (nesting: 0) > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] > (7): Adding original DN > [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to attributes of > [coes_socunix]. > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] > (6): Storing info for group coes_socunix > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_save_groups_loop] (9): Group 0 processed! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_save_grpmem_send] (7): Adding member users to group [coes_socunix] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (9): [IPA or AD Schema] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #0 > (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU): > [name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #1 > (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU): > [name=duckwos,cn=users,cn=CLEMSONU,cn=sysdb] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #2 > (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU): > [name=jdabney,cn=users,cn=CLEMSONU,cn=sysdb] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #3 > (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU): > [name=mdabney,cn=users,cn=CLEMSONU,cn=sysdb] > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #4 > (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #5 > (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #6 > (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sysdb_search_entry_done] (6): Error: Entry not Found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_fill_memberships] (7): member #7 > (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found! > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] > [sdap_save_grpmem_send] (6): Storing members for group coes_socunix > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb > transaction (nesting: 0) > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done] > (9): Saving 1 Groups - Done > (Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] > (4): Request processed. Returned 0,0,Success > > Members #4 - #7 were not found, even though they are valid user DNs. > Any thoughts? > > Moving on... > > pam_sss does not appear to work. Here's some entries from the SSS log > when trying to login to the system on the command-line: > > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] > (4): Executing simple bind as: cn=CoESProxy,ou=proxyUsers,o=CLEMSONU > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_done] > (3): Bind result: Success(0), (null) > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (6): calling ldap_search_ext with > [(&(uid=sduckwo)(objectclass=posixAccount))][o=CLEMSONU]. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [objectClass] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [uid] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [userPassword] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [uidNumber] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [gidNumber] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [fullName] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [homeDirectory] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [coesLoginShell] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [krbPrincipalName] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [fullName] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [memberOf] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [nsUniqueId] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [modifyTimestamp] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowLastChange] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowMin] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowMax] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowWarning] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowInactive] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowExpire] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [shadowFlag] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [krbLastPwdChange] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [krbPasswordExpiration] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_generic_send] (7): Requesting attrs: [pwdAttribute] > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] > (7): Adding original DN [cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU] to > attributes of [sduckwo]. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] > (7): Original memberOf is not available for [sduckwo]. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] > (7): User principal is not available for [sduckwo]. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] > (6): Storing info for user sduckwo > > Up to here, everything looks good. It would be nice to not ask for > all of the shadow and krb attributes since they don't exist in our > directory, but no harm done. > > But then things start to go wrong: > > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_get_initgr_process] (9): Process user's groups > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [sdap_initgr_nested_send] (4): User entry lacks original memberof ? > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_done] > (9): Initgroups done > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] > (4): Request processed. Returned 3,2,Init Groups Failed > > Our directory doesn't use the memberOf user attribute, it just uses > rfc2307bis style groups (objectClass=posixUser, member=<user DN>). > > Then, here's where things really go awry: > > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [find_password_expiration_attributes] (9): No password policy requested. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] > (4): Executing simple bind as: cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] > (4): ldap_result gave -1, something bad happend! > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [auth_bind_user_done] > (9): Found ppolicy data, assuming LDAP password policies are active. > (Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] > [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) > [Internal Error (Interrupted system call)] > > "something bad happened" isn't very useful. And since SSS refuses to > try and authenticate users without an encrypted connection, I can't > easily use wireshark and friends to debug at the protocol level. > While I could probably patch the source to print the actual LDAP error > with ldap_err2string(), or maybe gdb the process and set a breakpoint > when things go wrong to hopefully get some more useful information, > this is beyond what I'd normally consider doing when deploying new > software. Any suggestions? > > Moving on... > > We will need to dereference LDAP aliases but I have not yet been able > to find a setting to enable this. I also have not found the > equivalent of the pam_password_prohibit_message setting in > /etc/ldap.conf; while not strictly required, it is nice to refer users > to the proper way to change passwords in our environment. > > Any help would be appreciated. Thanks! > > Scott Duckworth, Systems Programmer II > Clemson University School of Computing > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
