On Thu, Feb 09, 2012 at 09:10:04PM +0200, Aziz Sasmaz wrote: > hi, > ldap is working fine without sssd. When sssd enabled, getent works fine it > gets all the user info.
The LDAP connection we use to get user information is not encrypted by default. > When I try to make ssh connection to sssd enabled server, I see below > debug entries in ldap servers log file. The authentication requests must be encrypted to prevent password being sent in the clear. That's where you are hitting the TLS errors. > The certs are created in gentoo > machines. But I use the certs in centos also. I have one gentoo > ldap-provider server and 2 gentoo ldap-consumer server. > This centos machine is the 3th ldap consumer server. when I point gentoo > ldap servers in sssd.conf file sssd works fine. But when I point centos > ldap server in sssd.conf I got error when I try to make ssh connection to > that server. > TLS: loaded CA certificate file /etc/openldap/ssl/cacert.pem. > TLS: certificate [[email protected],CN=ldap01.jazzy.com,O=Jazzy > Hizmetler A.S,L=Istanbul,ST=Sisli,C=TR] is not valid - error -8181:Unknown > code ___f 11. moznss error -8181 (SEC_ERROR_BAD_SIGNATURE) means that the certificate is not signed properly. Perhaps the CentOS server does not trust the issuing CA you signed the certificate with? > TLS: certificate [[email protected],CN=jazzy.com,O=Jazzy Hizmetler > A.S.,ST=Sisli,C=TR] is not correct because it is a CA cert and the > BasicConstraint CA flag is set to FALSE - allowing for now, but please fix > your certs if possible > TLS: error: unable to find and verify server's cert and key for > certificate PEM Token #0:servercrt.pem - 0 > TLS: error: could not initialize moznss security context - error > -8156:Unknown code ___f 36 > TLS: can't create ssl handle. > connection_read(19): TLS accept failure error=-1 id=1001, closing > connection_closing: readying conn=1001 sd=19 for close > sssd conf: > [domain/azldap.jazzy.com] > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_schema = rfc2307 > ldap_uri = ldaps://172.16.10.48 > ldap_search_base = dc=jazzy,dc=com > ldap_tls_reqcert = allow > cache_credentials = true > enumerate = true > entry_cache_timeout = 5400 > ldap_user_gecos = uid > Thanks, > AS > On Thu, Feb 9, 2012 at 3:12 PM, Jakub Hrozek <[email protected]> wrote: > > On Thu, Feb 09, 2012 at 01:44:35PM +0200, Aziz Sasmaz wrote: > > Hi, > > sssd gives below error when it tries to connect to my ldap server > . My > > ldap server is CentOS release 6.2 (Final) and the servers using > sssd is > > the same. > > In one of my datacenters i use gentoo ldap servers and redhat(5) > sssd > > servers and i got no errors with the same configuration parameters. > > It says below "something bad happened". what is that something? > could you > > please help me regarding this error? > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [set_server_common_status] (4): Marking server '172.16.10.48' as > 'working' > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [simple_bind_send] (4): Executing simple bind as: > > uid=aziz,ou=People,dc=bilyoner,dc=com > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [sdap_process_result] (4): ldap_result gave -1, something bad > happend! > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Backend returned: (3, 4, <NULL>) > [Internal > > Error (System error)] > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Sending result > [4][azldap.bilyoner.com] > > (Thu Feb 9 13:35:30 2012) [sssd[be[azldap.bilyoner.com]]] > > [be_pam_handler_callback] (4): Sent result [4][azldap.bilyoner.com] > > Thanks, > > AS > > Unfortunately the LDAP library does not pass any extra information > except the "something bad happened" sentence to the client side. > > Do you have access to the server logs? Can you check if there is any > useful information there? > > My guess would be to check for any certificate issues. > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel > _______________________________________________ > sssd-devel mailing list > [email protected] > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
