Thank you Jakub I understand what we're doing isn't supported and horrible practice. We are replacing the insecure LDAP server very soon.
I set ldap_uri = ldap://BLAH in sssd.conf and seems to be working despite expired cert. Though there are some error messages I would like to resolve. We are using host-based access control: auth_provider = ldap access_provider = ldap ldap_access_order = host ldap_user_authorized_host = host As you can see sdap_access_host does grant access to accounts with the host attribute: (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'BLAH' as 'working' (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'BLAH as 'working' (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: sysadmin (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: proxy (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 11864 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_access_host] (0x0100): Access granted for [CLIENT] (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 0, <NULL>) [Success] (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [0][LDAP] (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [0][LDAP] (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got request with the following data (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): command: SSS_PAM_ACCT_MGMT (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): domain: LDAP (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): user: sysadmin (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): service: sshd (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty: ssh (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): ruser: (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): rhost: proxy (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): authtok type: 0 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): newauthtok type: 0 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): priv: 1 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): cli_pid: 11864 (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): logon name: not set (Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_access_host] (0x0100): Access granted for [CLIENT] Though right before the above successful login we see: (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'BLAH as 'working' (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'BLAH' as 'working' (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Protocol error(2), paged results cookie is invalid (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_dom_enum_ex_users_done] (0x0040): User enumeration failed: 5: Input/output error (Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [be_ptask_done] (0x0040): Task [enumeration]: failed with [5]: Input/output error Does this mean that enumeration occurs not with SSSD but NSS? Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Physiology and Biophysics Weill Cornell Medicine E: [email protected] O: 212-746-5454 F: 212-746-8690 On Mon, Aug 15, 2016 at 3:45 AM, Jakub Hrozek <[email protected]> wrote: > On Fri, Aug 12, 2016 at 12:05:46PM -0400, Douglas Duckworth wrote: > > Clarification > > > > This works: > > > > ldapsearch -x -ZZ -H ldap://blah dc=blah-x uid=me -d3 > > > > Again says expired certificate. > > > > I set ldap_uri = ldaps://blah, ldap://blah and ldap_tls_reqcert = never > in > > sssd.conf but still failure. > > To be honest I'm not sure if setting the tls_reqcert value to never only > hides the trust issues or also expiration issues. > > btw the ldapsearch is for ldap:// with TLS, but SSSD is asked for > ldaps://, does sssd work with ldap:// only? (if you need confidentiality > for identity lookups you can set ldap_id_use_start_tls. For > authentication, TLS will be tried automatically, SSSD doesn't support > authentication over an unencrypted channel) > _______________________________________________ > sssd-users mailing list > [email protected] > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists. > fedorahosted.org_admin_lists_sssd-2Dusers-40lists. > fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9- > RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m= > ZqsTB2JT98oTSoYAWIbe7YnWKuNrXDEVIK7i1Ljyqlg&s= > o0iBmvS8uYOP0J6AMR_SEAGXSzzv_YQaLY4v02fCfoU&e= >
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
