On Fri, Nov 14, 2014 at 03:27:39AM +0000, Aaron Jenkins wrote: > Hi, > > I have a server running ApacheDS with both SSL and TLS enabled with a valid > keystore. It allows me to connect via other ldap clients on both SSL and > StartTLS and I’m able to use Kerberos from the client machine. > > However, when I configure sssd on a client machine to use ldap and use the > ApacheDS as it’s provider, it fails with the message > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): domain: AUTOMATON.UK > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): user: aaron.jenkins > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): service: login > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): tty: /dev/pts/15 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): ruser: > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): rhost: > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): authtok type: 1 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): newauthtok type: 0 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): priv: 1 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] > (0x0100): cli_pid: 9586 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'LDAP' > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] > [be_resolve_server_process] (0x0200): Found address for server > ds.automaton.uk: [10.211.55.27] TTL 7200 > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_sys_connect_done] > (0x0100): Executing START TLS > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] > (0x0080): START TLS result: Success(0), (null) > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] > (0x0080): ldap_install_tls failed: [Connect error] [(unknown error code)] > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_set_port_status] > (0x0100): Marking port 10389 of server 'ds.automaton.uk' as 'not working' > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'LDAP' > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'LDAP' > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_run_offline_cb] > (0x0080): Going offline. Running callbacks. > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] > (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline > (Authentication service cannot retrieve authentication info)] > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] > (0x0100): Sending result [9][AUTOMATON.UK] > (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] > (0x0100): Sent result [9][AUTOMATON.UK] > > My sssd configuration is as follows: > > [sssd] > config_file_version = 2 > services = nss, pam > domains = AUTOMATON.UK > debug_level = 5 > > [domain/AUTOMATON.UK] > debug_level = 5 > cache_credentials = true > > id_provider = ldap > auth_provider = ldap > > ldap_uri = ldap://ds.automaton.uk:10389 > ldap_search_base = dc=automaton,dc=uk > chpass_provider = ldap > entry_cache_timeout = 600 > ldap_network_timeout = 2 > > The search base and the uri is correct as it works with other things. Do you > guys have any idea what could be going wrong?
By default SSSD really checks the certificate. This means that it mus be able to find the public certificate of the CA which signed the LDAP certificate. If this is in an unusual place please use ldap_tls_cacert or ldap_tls_cacertdir. If you want to disable the strict check (NOT RECOMMENDED) for testing please use ldap_tls_reqcert. See man sssd-ldap for valid options. HTH bye, Sumit > > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
