Hi all, I have a 389ds server that uses a certmap to map client certificates to a valid bind, and this works fine.
I am struggling to get sssd on ubuntu trusty to use a client certificate to talk to this server, and I don't know what I'm doing wrong. My /etc/sssd/sssd.conf looks like below. [sssd] config_file_version = 2 domains = LDAP services = nss, pam [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 # A native LDAP domain [domain/LDAP] enumerate = true cache_credentials = TRUE debug_level = 9 id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.example.com:636 ldap_user_search_base = dc=example,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/root-ca.crt ldap_tls_cert = /etc/ssl/certs/my.crt ldap_tls_key = /etc/ssl/private/my.key ldap_sasl_mech = EXTERNAL When sssd attempts to connect to the LDAP server, first it connects and makes an anonymous bind, which the server refuses. sssd then tries to make a SASL EXTERNAL bind, which fails claiming external isn't a valid bind method. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server! (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1458231814 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: EXTERNAL, user: (null) (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-6)[Unknown authentication method] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: ] From what I can see, there is no attempt to use the client certificate at all. Can anyone point out where I am going wrong? Regards, Graham -- _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
