[SSSD-users] CentOS 7, SSSD against LDAP: finds user but will not log them in, "Authentication failure" when trying to su

[Jarett DeAngelis]

Hi,

I am trying to get SSSD to authenticate against an OpenLDAP directory. I have 
"debug_level" turned up to 10 but have not been able to figure out what the 
problem is based on the log.

On an Ubuntu 22.04 system I have found that something with TLS is broken when 
it tries to connect to OpenLDAP, which is why it has failed on that system -- I 
think this is related to the OS moving to OpenSSL 3 but have not been able to 
figure out how to fix it.

On this CentOS 7 system, you can see that it can find the user, can get 
properties from the user, but still fails the user login without, as far as I 
can tell, explaining why.

I have pasted our sssd.conf below, and here is a link to my Nextcloud instance 
where I am hosting the relevant portion of the log (it was too big for me to be 
able to paste it into Pastebin): 
https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD 
<https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>

Hoping someone can help us get to the bottom of this.

Thanks.

Here is our sssd.conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
certificate_verification = no_verification

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
debug_level = 10
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = ou=users,dc=clab,dc=lab
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://10.8.8.60:636
ldap_default_bind_dn = cn=admin,dc=clab,dc=lab
ldap_default_authtok = definitelyverysecurepassword
ldap_tls_reqcert = allow
ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt
ldap_tls_cacertdir = /usr/local/share/ca-certificates
ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem
certificate_verification = no_verification
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
override_homedir = /home/%U
override_shell = /bin/bash
ldap_user_name = uid
auto_private_groups = true
sudo_provider = none
ldap_account_expire_policy = nds
ldap_passwd_policy = shadow
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue