On (24/03/14 12:04), kevin sullivan wrote:
Thanks for the response Jakub!
I couldn't run your command exactly because I don't use the start_tls command, I run everything over ldaps. I was able to bind anonymously using this command:
# ldapsearch -H "ldaps://test-server/" -b "uid=jharden,ou=Users,dc=example,dc=com"
I can even bind as the user using this command:
# ldapsearch -H "ldaps://test-server/" -b "uid=jharden,ou=Users,dc=example,dc=com" -D "uid=jharden,ou=Users,dc=example,dc=com" -W
I remade my CA, my server certificate, and my client certificate to make sure that I wasn't screwing something up with the certificates. Things still work with ldapsearch, but not with sssd.
I checked source code of libldap (which is used by sssd) and return code 49 (0x31 LDAP_INVALID_CREDENTIALS) is return only if there is problem with certificate.
sh-4.2$ grep -RniI -B2 LDAP_INVALID_CREDENTIALS openldap-2.4.39/include/ldap.h-607-#define LDAP_X_PROXY_AUTHZ_FAILURE 0x2F /* LDAPv3 proxy authorization */ openldap-2.4.39/include/ldap.h-608-#define LDAP_INAPPROPRIATE_AUTH 0x30 openldap-2.4.39/include/ldap.h:609:#define LDAP_INVALID_CREDENTIALS 0x31 -- openldap-2.4.39/libraries/libldap/error.c-71- openldap-2.4.39/libraries/libldap/error.c-72- C(LDAP_INAPPROPRIATE_AUTH, N_("Inappropriate authentication")); openldap-2.4.39/libraries/libldap/error.c:73: C(LDAP_INVALID_CREDENTIALS, N_("Invalid credentials")); -- openldap-2.4.39/libraries/libldap/tls_m.c-2744- openldap-2.4.39/libraries/libldap/tls_m.c-2745- cert = SSL_LocalCertificate( s ); openldap-2.4.39/libraries/libldap/tls_m.c:2746: if (!cert) return LDAP_INVALID_CREDENTIALS; -- openldap-2.4.39/libraries/libldap/tls_m.c-2759- openldap-2.4.39/libraries/libldap/tls_m.c-2760- cert = SSL_PeerCertificate( s ); openldap-2.4.39/libraries/libldap/tls_m.c:2761: if (!cert) return LDAP_INVALID_CREDENTIALS; -- openldap-2.4.39/libraries/libldap_r/error.c-71- openldap-2.4.39/libraries/libldap_r/error.c-72- C(LDAP_INAPPROPRIATE_AUTH, N_("Inappropriate authentication")); openldap-2.4.39/libraries/libldap_r/error.c:73: C(LDAP_INVALID_CREDENTIALS, N_("Invalid credentials")); -- openldap-2.4.39/libraries/libldap_r/tls_m.c-2744- openldap-2.4.39/libraries/libldap_r/tls_m.c-2745- cert = SSL_LocalCertificate( s ); openldap-2.4.39/libraries/libldap_r/tls_m.c:2746: if (!cert) return LDAP_INVALID_CREDENTIALS; -- openldap-2.4.39/libraries/libldap_r/tls_m.c-2759- openldap-2.4.39/libraries/libldap_r/tls_m.c-2760- cert = SSL_PeerCertificate( s ); openldap-2.4.39/libraries/libldap_r/tls_m.c:2761: if (!cert) return LDAP_INVALID_CREDENTIALS;
LS