MS SRV records set up _ldap._tcp records only not _ldaps._tcp records. You can add _ldaps._tcp records manually and that should work.

Chris Paul
Rex Consulting, Inc
email: chris.paul@rexconsulting.net
web: http://www.rexconsulting.net
phone, toll-free: +1 (888) 403-8996 ext 1


On 8/28/20 3:19 AM, Vjay wrote:
Hi,

We are trying to use Active Directory site discovery feature for our SSSD configurations. Our Domain Controllers are running on Windows 2016 / 2019 OS. We are not joining our Linux machines to AD Domain and use following sssd domain configurations.

[domain/default]
auth_provider = krb5
cache_credentials = True
chpass_provider = krb5
dns_discovery_domain = NORWAY._sites.AD.MYDOMAIN.COM
debug_level = 7
enumerate = False
id_provider = ldap
krb5_realm = https://urldefense.proofpoint.com/v2/url?u=http-3A__AD.MYDOMAIN.COM&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=Y-fja5qe4GY7a_xT5EtAUgcSvVjRla91He9U7N_HI3Q&s=BYqFUZAvDJloLcMbBYVXwmmnd5aJ3E5mtFxMH6NRrUI&e=
ldap_default_authtok = xxxx
ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = xxxx
ldap_schema = ad
ldap_search_base = ou=base,dc=ad,dc=mydomain,dc=com
use_fully_qualified_names = False
ldap_id_mapping = True
default_shell = /bin/bash
ldap_tls_cacertdir = /etc/openldap/certs
ldap_user_fullname = displayName
ldap_user_gecos = displayName
ldap_user_objectsid = objectSid
ldap_group_objectsid = objectSid
ldap_use_tokengroups = False
ignore_group_members = true

Here with site discovery, it is able to find the nearest domain controller but it is trying to connect with LDAP server on port 389. Our domain controllers are only allowing connections on port 636 so the requests from linux servers are getting rejected.

If I directly configure domain controller names in ldap_uri settings like below and remove site discover configurations, everything is working fine.
ldap_uri = ldaps://mydc.mydomain.com

But we don't want to hard code our domain controllers in configurations. Is there a way to use AD site discovery feature with ldaps?

Thanks for your time.

Regards,
//Vjay
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_en-2DUS_project_code-2Dof-2Dconduct_&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=Y-fja5qe4GY7a_xT5EtAUgcSvVjRla91He9U7N_HI3Q&s=vV_jVVX-YjOxIveqBNcqbFxu0BFginqR_Rpm_5JSrVA&e=
List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_Mailing-5Flist-5Fguidelines&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=Y-fja5qe4GY7a_xT5EtAUgcSvVjRla91He9U7N_HI3Q&s=_Q9bSJ4TJdPKTteEhFdqyRGhN9Ve3LhF_nkrH-TyuC0&e=
List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_archives_list_sssd-2Dusers-40lists.fedorahosted.org&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=kNfe78trlDa8qcpE6Krv-hqja3H7VlB9J4LBxzcpgL8&m=Y-fja5qe4GY7a_xT5EtAUgcSvVjRla91He9U7N_HI3Q&s=9d2xUbWKdQ6P55UxEqO8QGdIWf7_LPktaydpeB2OW7w&e=


----------

This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam:
https://us1.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1598610525-RY_taym3uKcb&r_address=chris.paul%40rexconsulting.net&report=1