On Wed, Sep 28, 2016 at 12:46:56PM +0000, Speagle, Andy wrote:
If I perform a manual ldapsearch ... using the parameters indicated in
the "ldap_search_ext" call ... it works just fine. I've checked in the logs and I see that it marks the connection to the domain controller as "working" ... so, I'm not sure why sssd complains that a successful bind must be completed... that seems to have happened already...
I'm running sssd version 1.11.7 ...
Any ideas, folks?
Interesting, it looks like the LDAP bind was not attempted at all. You're running a version that is not so new, does adding: ldap_default_authtok_type = password explicitly to sssd.conf work?
Sadly, adding that didn't help...
And a bit unrelated, but do you really need to use auth_provider=ldap? I would personally suggest to use auth_provider=krb5, like this:
auth_provider = krb5 krb5_server = kdc.example.com krb5_realm = EXAMPLE.COM
I can definitely make it work with kerberos... and have already proven that. The id source is AD ... and my Linux user base would like to try to avoid integration with AD as much as possible... so I was trying to find them a pure LDAP solution.
I think from user's point of view it doesn't matter since they would just type the same password and the protocol SSSD speaks towards the remote server is completely handled by SSSD..
Actually... I lied about the version... I'm using 1.13.3 on CentOS 6.8 ... if that makes any difference.
Any thoughts?
No, I'm sorry, this works for me. Do you see SSSD attempting StartTLS before the actual search?