Clarification This works:
ldapsearch -x -ZZ -H ldap://blah dc=blah-x uid=me -d3 Again says expired certificate. I set ldap_uri = ldaps://blah, ldap://blah and ldap_tls_reqcert = never in sssd.conf but still failure. Thanks Doug Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: [email protected] O: 212-746-5454 F: 212-746-8690 On Fri, Aug 12, 2016 at 11:47 AM, Douglas Duckworth <[email protected] > wrote: > Jakub > > > I had base set to Accounts OU in nslcd so I can now enumerate groups by > setting base correctly :) However I still do see this issue in sssd_LDAP > log: > > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): > Constructed uri 'blah' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x4000): > Using file descriptor [21] for LDAP connection. > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): > Setting 30 seconds timeout for connecting > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sss_ldap_init_sys_connect_done] > (0x0020): ldap_install_tls failed: Connect error > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sss_ldap_init_state_destructor] > (0x0400): calling ldap_unbind_ext for ldap:[0x20333d0] sd:[21] > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sdap_sys_connect_done] > (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [sdap_handle_release] > (0x2000): Trace: sh[0x202c170], connected[0], ops[(nil)], ldap[(nil)], > destructor_lock[0], release_memory[0] > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [_be_fo_set_port_status] > (0x8000): Setting status: PORT_NOT_WORKING. Called from: > src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1564 > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): > Marking port 636 of server 'blah' as 'not working' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0400): > Marking port 636 of duplicate server 'blah as 'not working' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [fo_resolve_service_send] > (0x0100): Trying to resolve service 'LDAP' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [get_server_status] (0x1000): > Status of server 'blah is 'name resolved' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [get_port_status] (0x1000): > Port status of port 636 for server 'blah' is 'not working' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [fo_resolve_service_send] > (0x0020): No available servers for service 'LDAP' > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [be_resolve_server_done] > (0x1000): Server resolution failed: 5 > (Fri Aug 12 11:28:26 2016) [sssd[be[LDAP]]] [check_online_callback] > (0x0100): Backend returned: (1, 0, <NULL>) [Provider is Offline] > > LDAPTLS_REQCERT=never ldapsearch -Z -x uid=blah works... > > ldapsearch - Z debug: > > ldap_create > ldap_extended_operation_s > ldap_extended_operation > ldap_send_initial_request > ldap_new_connection 1 1 0 > ldap_int_open_connection > ldap_connect_to_host: TCP blah:636 > ldap_new_socket: 3 > ldap_prepare_socket: 3 > ldap_connect_to_host: Trying blah:636 > ldap_pvt_connect: fd: 3 tm: -1 async: 0 > attempting to connect: > connect success > tls_write: want=137, written=137 > > ldapsearch - ZZ debug shows the certificate has expired thus is not > trusted. > > I have "ldap_tls_reqcert = never" set in sssd.conf as a temporary measure, > while /etc/openldap/ldap.conf has "tls_reqcert allow." Shouldn't that > allow TLS to work without verifying PKI chain? > > This LDAP server is over 9000 years old. We're in the process of > replacing it, as well as switching from pam_ldap to sssd, so for now I > would like to get this working even if we're undermining the purpose of PKI. > > Thanks for your help! > > > Thanks, > > Douglas Duckworth, MSc, LFCS > HPC System Administrator > Physiology and Biophysics > Weill Cornell Medicine > E: [email protected] > O: 212-746-5454 > F: 212-746-8690 > > On Fri, Aug 12, 2016 at 4:08 AM, Jakub Hrozek <[email protected]> wrote: > >> On Thu, Aug 11, 2016 at 05:17:14PM -0400, Douglas Duckworth wrote: >> > Hello >> > >> > I am able to enumerate users but not groups using "getent group." >> > >> > I believe our old LDAP server uses standard rcf2307 schema: >> > >> > # blah, Group, blah.blah.blah.edu >> > dn: cn=blah,ou=Group,dc=blah,dc=blah,dc=blah,dc=edu >> > objectClass: posixGroup >> > objectClass: top >> > cn: blahgroup >> > gidNumber: 1045 >> > memberUid: blah >> > >> > I can login over ssh, use getent password, while id returns correct >> > information: >> > >> > [root@nfs-server ~]# id LUZER >> > uid=8877(LUZER) gid=1009 groups=1009 >> > >> > My SSSD configuration and debug logs are attached. >> > >> > I can resolve the LDAP server and perform searches against it though the >> > logs to show repeated DNS issues. Though if DNS was a problem, and thus >> > provider offline, then how could I login and enumerate users? >> >> These messages: >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sss_ldap_init_sys_connect_done] >> (0x0020): ldap_install_tls failed: Connect error >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sss_ldap_init_state_destructor] >> (0x0400): calling ldap_unbind_ext for ldap:[0x183db80] sd:[18] >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sdap_sys_connect_done] >> (0x0020): sdap_async_connect_call request failed: [5]: Input/output error. >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sdap_handle_release] >> (0x2000): Trace: sh[0x1850770], connected[0], ops[(nil)], ldap[(nil)], >> destructor_lock[0], release_memory[0] >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [_be_fo_set_port_status] >> (0x8000): Setting status: PORT_NOT_WORKING. Called from: >> src/providers/ldap/sdap_async_connection.c: sdap_cli_connect_done: 1564 >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [fo_set_port_status] >> (0x0100): Marking port 636 of server 'blah.blah.blah.edu' as 'not >> working' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [fo_set_port_status] >> (0x0400): Marking port 636 of duplicate server 'blah.blah.blah.edu' as >> 'not working' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [fo_resolve_service_send] >> (0x0100): Trying to resolve service 'LDAP' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [get_server_status] (0x1000): >> Status of server 'blah.blah.blah.edu' is 'name resolved' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [get_port_status] (0x1000): >> Port status of port 636 for server 'blah.blah.blah.edu' is 'not working' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [fo_resolve_service_send] >> (0x0020): No available servers for service 'LDAP' >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_resolve_server_done] >> (0x1000): Server resolution failed: 5 >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_done] >> (0x0020): Failed to connect, going offline (5 [Input/output error]) >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_mark_offline] (0x2000): >> Going offline! >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_mark_offline] (0x2000): >> Initialize check_if_online_ptask. >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_ptask_create] (0x0400): >> Periodic task [Check if online (periodic)] was created >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): >> Task [Check if online (periodic)]: scheduling task 81 seconds from now >> [1470949681] >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): >> Going offline. Running callbacks. >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_done] >> (0x4000): notify offline to op #1 >> (Thu Aug 11 17:06:40 2016) [sssd[be[LDAP]]] [sdap_dom_enum_ex_connected] >> (0x0400): Backend is marked offline, retry later! >> >> make it look like the certificate is not correct, sssd tries to connect >> to the server and fails. >> >> Does searching the server with ldapsearch using -ZZ succeed? >> _______________________________________________ >> sssd-users mailing list >> [email protected] >> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.f >> edorahosted.org_admin_lists_sssd-2Dusers-40lists.fedorahoste >> d.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-RXrryqt9KZX2qu2s >> &r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=JsOPoBFWPBp >> Jyy-yyj1h3uae8Lv75j8uDzdmH0lNtmI&s=ZGFp6o41jb-6yZ_8HbXk-oB3W >> ympSLRZQDUcu0GA-CI&e= >> > >
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
