On Mon, Feb 09, 2015 at 07:50:32AM -0700, Ben Lewis wrote: > Hey All > > This is my first attempt at getting sssd working. A little background. > > I have a RHEL 6 server that is located on a secure DMZ like subnet, there > is an ldap server running on the network which I would like to authenticate > my server to. I have followed several guides (sssd fedora guide, official > red hat guide and several others), but just can't seem to get the binding > to work. > > I have tested binding with the ldapsearch commands and that seems to work, > however SSSD continues to have issues. > > I am binding on 389 with TLS. I can successfully bind and see all the users > and other attributes with the following ldapsearch command:
There is a (Mon Feb 9 07:45:57 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Other (e.g., implementation specific) error(80), NDS error: remote failure (-635) error message in your log. -635 means an error on the LDAP server maybe because it failed to access some other network resources. Please check your server logs for details. The LDAP request causing this error message is $ldapsearch -x -ZZ -H ldap://myhost.mydomain.com -b o=MYORG '(&(objectclass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))' Does this work if you call it from the command line or do you get the same error? bye, Sumit > > $ldapsearch -x -ZZ -H ldap://myhost.mydomain.com -b o=MYORG > > This is what my /etc/sssd/sssd.conf looks like: > > [sssd] > config_file_version = 2 > services = nss, pam > domains = LDAP > > [nss] > filter_groups = root > filter_users = root > reconnection_retries = 3 > entry_cache_timeout = 300 > > [pam] > > [domain/LDAP] > access_provider = ldap > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > access_provider = ldap > ldap_access_filter = allow > ldap_schema = rfc2307 > ldap_uri = ldap://myhost.mydomain.com > ldap_search_base = o=MYORG > ldap_user_search_base = ou=PEOPLE,o=MYORG > enumerate = True > cache_credentials = true > ldap_tls_reqcert = allow > ldap_tls_cacertdir = /etc/openldap/certs > ldap_id_use_start_tls = true > ldap_default_bind_dn = cn=ldaplookup,o=services > ldap_default_authtok_type = password > ldap_default_authtok = XXXXXXXX > debug_level = 9 > > I have also tried binding anonymous, which also fails. This is what I see > in my sssd log file: > > http://pastebin.com/j1XVRR65 > > Thanks! > > > > -- > Ben Lewis > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
