Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis: > Hi, > > I am trying to get SSSD to authenticate against an OpenLDAP directory. I have > "debug_level" turned up to 10 but have not been able to figure out what the > problem is based on the log. > > On an Ubuntu 22.04 system I have found that something with TLS is broken when > it tries to connect to OpenLDAP, which is why it has failed on that system -- > I think this is related to the OS moving to OpenSSL 3 but have not been able > to figure out how to fix it. > > On this CentOS 7 system, you can see that it can find the user, can get > properties from the user, but still fails the user login without, as far as I > can tell, explaining why. > > I have pasted our sssd.conf below, and here is a link to my Nextcloud > instance where I am hosting the relevant portion of the log (it was too big > for me to be able to paste it into Pastebin): > https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD > <https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD>
Hi, there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user? bye, Sumit > > Hoping someone can help us get to the bottom of this. > > Thanks. > > Here is our sssd.conf: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = default > certificate_verification = no_verification > > [nss] > > [pam] > offline_credentials_expiration = 60 > > [domain/default] > debug_level = 10 > ldap_id_use_start_tls = False > cache_credentials = True > ldap_search_base = ou=users,dc=clab,dc=lab > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > access_provider = ldap > ldap_uri = ldaps://10.8.8.60:636 > ldap_default_bind_dn = cn=admin,dc=clab,dc=lab > ldap_default_authtok = definitelyverysecurepassword > ldap_tls_reqcert = allow > ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt > ldap_tls_cacertdir = /usr/local/share/ca-certificates > ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem > certificate_verification = no_verification > ldap_search_timeout = 50 > ldap_network_timeout = 60 > ldap_access_order = filter > ldap_access_filter = (objectClass=posixAccount) > override_homedir = /home/%U > override_shell = /bin/bash > ldap_user_name = uid > auto_private_groups = true > sudo_provider = none > ldap_account_expire_policy = nds > ldap_passwd_policy = shadow > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
