On Thu, 02 Apr 2015, Guertin, David S. wrote:
Can you try searching the compat tree with ldapsearch to see if an entry turns
up? IIRC you need to search for a particular entry, not for any (not ie cn=*),
but if you crank up the debug_level in the domain section, then sssd should
log the searches to /var/log/sssd/sssd_default.log

Here's the result of ldapsearch on the RHEL 5 client (the same command
works on RHEL 6):

# ldapsearch -h middlebury.edu -p 389 -D 'MIDD\admin' -W -b "dc=middlebury,dc=edu" -s sub 
Enter LDAP Password:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified 
GSS failure.  Minor code may provide more information (No credentials cache 
This is wrong use of ldapsearch -- if you are using simple bind, make
sure you tell ldapsearch about it. However, I'm not sure what you wanted
to show as both hostname and base DN are different from what SSSD tries
in the logs below. Also, unlike Active Directory, IPA LDAP does not
(yet) accept short version of bind DN, you have to specify it fully.
If you wanted to have Kerberos auth working on RHEL5, that is something
that might or might not work for AD users depending on many
circumstances, mostly related to the need to manually configure
krb5.conf to know about AD realm and how to contact servers there but
also due to possible issues with auth_to_local rulesets (if they even
exist in that Kerberos library version).

In case of AD users there is a sequence to follow for LDAP
authentication if you want to repeat what SSSD does:

1. Search user with filter '(uid=username@domain)' to get the entry into
  compat tree.
2. Bind as uid=username@domain,cn=users,cn=compat,$BASEDN to trigger
  authentication check.

This is how various LDAP-based NSS modules work, be it nss_ldap or
pam-nss-ldapd, or SSSD.

So, let's say, you have kerberos keytab with a host principal in
/etc/krb5.keytba. The sequence to emulate what SSSD does would be

kinit -k host/`hostname`
ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
          -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \

As result, we have 'ad...@middlebury.edu' inserted in the compat tree, and can
do a bind as 

ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
'uid=ad...@middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' \
          -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \

This would reproduce what SSSD was supposed to do. If you get these
ldapsearches to work, we can look at what is SSSD doing.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to