Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
/etc/sssd/sssd.conf is readable for everyone (rw- r-- r--) I'm using Gentoo Are there any other files sss_obfuscate needs access to?
The other question is regarding the ldap attributes sssd needs to have access to in ldap database. I thought I would list those attributes in my slapd.conf access list and grant the access to the 'sssd' user entry. Is this a sensible way to configure sssd?
Thanks in advance Robert
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
On Wed, Jun 04, 2014 at 11:54:39PM +0100, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
This configuration looks good and is working for me with sss_obfuscate. Which platform/distribution do you use? Maybe there are issues with the path to the config file? You can use the -f option to explicitly tell sss_obfuscate which config file to read.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Jun 04, 2014 at 11:54:39PM +0100, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
This configuration looks good and is working for me with sss_obfuscate. Which platform/distribution do you use? Maybe there are issues with the path to the config file? You can use the -f option to explicitly tell sss_obfuscate which config file to read.
HTH
bye, Sumit
I'm using Gentoo. No luck so far. I even copied the sssd.conf to my home directory, gave 666 permissions and did sss_obfuscate -f /root/sssd.conf
Again I get
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
SyntaxError: invalid syntax
I guess the issue is more basic, and broader than just permission to sssd.conf
the line "Cannot read internal configuration files" sounds too enigmatic to me. What configuration files are meant to be read?
Does sssd need acces to other config files to do sss_obfuscate?
Robert
On (05/06/14 16:43), Robert Zmijan wrote:
On Wed, Jun 04, 2014 at 11:54:39PM +0100, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: > Hi > > I want to setup sssd to use ldap_default_bind_dn and > ldap_default_authok. currently I have in my sssd.conf > ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net > ldap_default_authok = mypassword I understand that I would > have to put 'mypassword' in ldap under the name of 'sssd' > the problem I'm facing is that when i type: sss_obfuscate I > get this: > > File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read > internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
This configuration looks good and is working for me with sss_obfuscate. Which platform/distribution do you use? Maybe there are issues with the path to the config file? You can use the -f option to explicitly tell sss_obfuscate which config file to read.
HTH
bye, Sumit
I'm using Gentoo. No luck so far. I even copied the sssd.conf to my home directory, gave 666 permissions and did sss_obfuscate -f /root/sssd.conf
sssd.conf have to have permissions 0600, otherwise sssd will not start.
Again I get
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
SyntaxError: invalid syntax
/usr/sbin/sss_obfuscate is python script. You can try debug this script if you have sucxh python skills :-) https://docs.python.org/2/library/pdb.html
I guess the issue is more basic, and broader than just permission to sssd.conf
the line "Cannot read internal configuration files" sounds too enigmatic to me. What configuration files are meant to be read?
Dou you run sss_obfuscate as root?
LS
On (05/06/14 16:43), Robert Zmijan wrote:
On Wed, Jun 04, 2014 at 11:54:39PM +0100, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
> On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: >> Hi >> >> I want to setup sssd to use ldap_default_bind_dn and >> ldap_default_authok. currently I have in my sssd.conf >> ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net >> ldap_default_authok = mypassword I understand that I would >> have to put 'mypassword' in ldap under the name of 'sssd' >> the problem I'm facing is that when i type: sss_obfuscate I >> get this: >> >> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read >> internal configuration files" > > chmod 0600 /etc/sssd/sssd.conf >
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
This configuration looks good and is working for me with sss_obfuscate. Which platform/distribution do you use? Maybe there are issues with the path to the config file? You can use the -f option to explicitly tell sss_obfuscate which config file to read.
HTH
bye, Sumit
I'm using Gentoo. No luck so far. I even copied the sssd.conf to my home directory, gave 666 permissions and did sss_obfuscate -f /root/sssd.conf
sssd.conf have to have permissions 0600, otherwise sssd will not start.
Again I get
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
SyntaxError: invalid syntax
/usr/sbin/sss_obfuscate is python script. You can try debug this script if you have sucxh python skills :-) https://docs.python.org/2/library/pdb.html
I guess the issue is more basic, and broader than just permission to sssd.conf
the line "Cannot read internal configuration files" sounds too enigmatic to me. What configuration files are meant to be read?
Dou you run sss_obfuscate as root?
yes, however I ssh as a normal user and then su into root. Might I be experiencing this because $PATH is actually not as it supposed to be?
On Wed, Jun 04, 2014 at 11:54:39PM +0100, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
cache_credentials = true
This configuration looks good and is working for me with sss_obfuscate. Which platform/distribution do you use? Maybe there are issues with the path to the config file? You can use the -f option to explicitly tell sss_obfuscate which config file to read.
HTH
bye, Sumit
Also I notice sss_obfuscate is a python script, and starts in my system the beginning of the script looks like this: --------- #!/usr/bin/python
import sys from optparse import OptionParser
import pysss import SSSDConfig import getpass
-----------
how can I check if these things are in my system and are imported properly. I'm guessing my issue can be due to python incompatibility, or missing libraries?
R.
On 06/04/2014 06:54 PM, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above: File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files" Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
Please do not use enumerate=true unless you really need to. In most cases it should not be enabled. It seems that your case is such.
2c. Dmitri
cache_credentials = true _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 06/04/2014 06:54 PM, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote:
Hi
I want to setup sssd to use ldap_default_bind_dn and ldap_default_authok. currently I have in my sssd.conf ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net ldap_default_authok = mypassword I understand that I would have to put 'mypassword' in ldap under the name of 'sssd' the problem I'm facing is that when i type: sss_obfuscate I get this:
File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files"
chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above: File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files" Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
Please do not use enumerate=true unless you really need to. In most cases it should not be enabled. It seems that your case is such.
2c. Dmitri
Thanks, I'll change the enumerate value.
By the way, I solved my problem with sss_obfuscate on my Gentoo. The sss_obfuscate script is not compatible with python 3.3 which is the default interpreter in my system. Changing the first line of the sss_obfuscate to:
#!/usr/bin/python2.7 (instead '#!/usr/bin/python')
and adding
export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages
to .bashrc
solved the problem
The message "Cannot read internal configuration files" was all about python3.3 complaining about the syntax of python2.7 of the sss_obfuscate script, and lacking path to SSSD specyfic *.py modules.
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
R.
On Fri, Jun 06, 2014 at 09:40:09AM +0100, Robert Zmijan wrote:
On 06/04/2014 06:54 PM, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: > Hi > > I want to setup sssd to use ldap_default_bind_dn and > ldap_default_authok. currently I have in my sssd.conf > ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net > ldap_default_authok = mypassword I understand that I would > have to put 'mypassword' in ldap under the name of 'sssd' > the problem I'm facing is that when i type: sss_obfuscate I > get this: > > File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read > internal configuration files" chmod 0600 /etc/sssd/sssd.conf
Just did that. running sss_obuscate has still the same effect as above: File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files" Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
Please do not use enumerate=true unless you really need to. In most cases it should not be enabled. It seems that your case is such.
2c. Dmitri
Thanks, I'll change the enumerate value.
By the way, I solved my problem with sss_obfuscate on my Gentoo. The sss_obfuscate script is not compatible with python 3.3 which is the default interpreter in my system. Changing the first line of the sss_obfuscate to:
#!/usr/bin/python2.7 (instead '#!/usr/bin/python')
and adding
export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages
to .bashrc
solved the problem
The message "Cannot read internal configuration files" was all about python3.3 complaining about the syntax of python2.7 of the sss_obfuscate script, and lacking path to SSSD specyfic *.py modules.
great, thank you for sharing your findings. I guess they are valuable for other users as well as long as we have not fixed https://fedorahosted.org/sssd/ticket/2017 "Python 3 support" which is scheduled for 1.13.
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords.
HTH
bye, Sumit
R. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Jun 06, 2014 at 09:40:09AM +0100, Robert Zmijan wrote:
On 06/04/2014 06:54 PM, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote:
> On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: >> Hi >> >> I want to setup sssd to use ldap_default_bind_dn and >> ldap_default_authok. currently I have in my sssd.conf >> ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net >> ldap_default_authok = mypassword I understand that I would >> have to put 'mypassword' in ldap under the name of 'sssd' >> the problem I'm facing is that when i type: sss_obfuscate I >> get this: >> >> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read >> internal configuration files" > chmod 0600 /etc/sssd/sssd.conf > Just did that. running sss_obuscate has still the same effect as above: File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read internal configuration files" Syntax Error: invalid syntax
"invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
Please do not use enumerate=true unless you really need to. In most cases it should not be enabled. It seems that your case is such.
2c. Dmitri
Thanks, I'll change the enumerate value.
By the way, I solved my problem with sss_obfuscate on my Gentoo. The sss_obfuscate script is not compatible with python 3.3 which is the default interpreter in my system. Changing the first line of the sss_obfuscate to:
#!/usr/bin/python2.7 (instead '#!/usr/bin/python')
and adding
export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages
to .bashrc
solved the problem
The message "Cannot read internal configuration files" was all about python3.3 complaining about the syntax of python2.7 of the sss_obfuscate script, and lacking path to SSSD specyfic *.py modules.
great, thank you for sharing your findings. I guess they are valuable for other users as well as long as we have not fixed https://fedorahosted.org/sssd/ticket/2017 "Python 3 support" which is scheduled for 1.13.
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords.
HTH
bye, Sumit
Thanks Sumit
What ldap attributes would the cn=sssd,ou=services,dc=myhost,dc=net user need access (read) to, so I can list it in the slapd.conf access list. Another question, shall I copy the obfuscated passwd string straight into the ldap sssd user's passwd attribute entry? What encryption type shall I choose in ldap for the obfuscated string, md5, crypt, sha... ?
R.
On Fri, Jun 06, 2014 at 10:14:55AM +0100, Robert Zmijan wrote:
On Fri, Jun 06, 2014 at 09:40:09AM +0100, Robert Zmijan wrote:
On 06/04/2014 06:54 PM, Robert Zmijan wrote:
On 06/04/2014 04:13 PM, Robert Zmijan wrote: >> On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: >>> Hi >>> >>> I want to setup sssd to use ldap_default_bind_dn and >>> ldap_default_authok. currently I have in my sssd.conf >>> ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net >>> ldap_default_authok = mypassword I understand that I would >>> have to put 'mypassword' in ldap under the name of 'sssd' >>> the problem I'm facing is that when i type: sss_obfuscate I >>> get this: >>> >>> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read >>> internal configuration files" >> chmod 0600 /etc/sssd/sssd.conf >> > Just did that. running sss_obuscate has still the same effect as > above: > File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read > internal configuration files" > Syntax Error: invalid syntax "invalid syntax" probably means you have an error in the config file. Mind including it so we can help you spot the syntax error?
Sure, did you mean sssd.conf?
here it is
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
# Example LDAP domain [domain/LDAP] id_provider = ldap
ldap_id_use_start_tls = True
auth_provider = ldap chpass_provider = ldap access_provider = ldap
ldap_access_filter = gidNumber=100
ldap_user_ssh_public_key = sshPublicKey ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net
ldap_tls_reqcert = never ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt ldap_uri = ldap://127.0.0.1 ldap_search_base = dc=homelinux,dc=net ldap_user_search_base = ou=People,dc=myhost,dc=net ldap_group_search_base = ou=Group,dc=myhost,dc=net
enumerate = true
Please do not use enumerate=true unless you really need to. In most cases it should not be enabled. It seems that your case is such.
2c. Dmitri
Thanks, I'll change the enumerate value.
By the way, I solved my problem with sss_obfuscate on my Gentoo. The sss_obfuscate script is not compatible with python 3.3 which is the default interpreter in my system. Changing the first line of the sss_obfuscate to:
#!/usr/bin/python2.7 (instead '#!/usr/bin/python')
and adding
export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages
to .bashrc
solved the problem
The message "Cannot read internal configuration files" was all about python3.3 complaining about the syntax of python2.7 of the sss_obfuscate script, and lacking path to SSSD specyfic *.py modules.
great, thank you for sharing your findings. I guess they are valuable for other users as well as long as we have not fixed https://fedorahosted.org/sssd/ticket/2017 "Python 3 support" which is scheduled for 1.13.
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords.
HTH
bye, Sumit
Thanks Sumit
What ldap attributes would the cn=sssd,ou=services,dc=myhost,dc=net user need access (read) to, so I can list it in the slapd.conf access list.
You can find the list of attributes SSSD is using at https://git.fedorahosted.org/cgit/sssd.git/tree/src/providers/ldap/ldap_opts...
Another question, shall I copy the obfuscated passwd string straight into the ldap sssd user's passwd attribute entry? What encryption type shall I choose in ldap for the obfuscated string, md5, crypt, sha... ?
I would suggest to create the LDAP object without the password entry and then use ldappasswd to set it. Btw. you have to use the original password not the obfuscated one. SSSD will un-obfuscate the string from sssd.conf and will use the result as bind password. SSSD allows to obfuscate the password just to make sure that someone looking over your shoulder does not know the password immediately.
HTH
bye, Sumit
R.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords.
HTH
bye, Sumit
OK, I understand why it should not be able to read passwords. However, under 'access to attrs=userPassword' in my slapd.conf if I comment out the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd cannot establish a successful bind. In consequence I cannot login any user in. What is the best way to allow sssd to read its own password but not allow to access to others' passwords?
Below my slapd.conf
--------------- access to dn="cn=subschema" by * read
access to attrs=userPassword by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by self write by anonymous auth by * auth
access to attrs=sshPublicKey by dn="uid=root,ou=People,dc=myhost,dc=net" write by self write by * read
access to * by dn="cn=user1,ou=People,dc=myhost,dc=net" read by dn="uid=user3,ou=People,dc=myhost,dc=net" write by dn="uid=user2,ou=People,dc=myhost,dc=net" write by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by * search
On 06/09/2014 01:56 PM, Robert Zmijan wrote:
Now I have my obfuscated passwd in sssd.config file. Can you tell me what is now best to do on the ldap side to make SSSD authenticate itself with that password?
You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords.
HTH
bye, Sumit
OK, I understand why it should not be able to read passwords. However, under 'access to attrs=userPassword' in my slapd.conf if I comment out the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd cannot establish a successful bind. In consequence I cannot login any user in. What is the best way to allow sssd to read its own password but not allow to access to others' passwords?
Below my slapd.conf
access to dn="cn=subschema" by * read
access to attrs=userPassword by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by self write by anonymous auth by * auth
access to attrs=sshPublicKey by dn="uid=root,ou=People,dc=myhost,dc=net" write by self write by * read
access to * by dn="cn=user1,ou=People,dc=myhost,dc=net" read by dn="uid=user3,ou=People,dc=myhost,dc=net" write by dn="uid=user2,ou=People,dc=myhost,dc=net" write by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by * search _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Can you bind with sssd user and its password via an LDAP search command with or without this setting? You should be able to because when you remove the line sssd would authenticate as itself and thus self rules would apply. If this is possible that means that your password is OK and the problem is in SSSD. If it failes this means that your password for SSSD user is not correct (may be it requires change).
Dmitri Pal wrote:
On 06/09/2014 01:56 PM, Robert Zmijan wrote:
OK, I understand why it should not be able to read passwords. However, under 'access to attrs=userPassword' in my slapd.conf if I comment out the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd cannot establish a successful bind. In consequence I cannot login any user in. What is the best way to allow sssd to read its own password but not allow to access to others' passwords?
Below my slapd.conf
access to dn="cn=subschema" by * read
access to attrs=userPassword by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by self write by anonymous auth by * auth
access to attrs=sshPublicKey by dn="uid=root,ou=People,dc=myhost,dc=net" write by self write by * read
access to * by dn="cn=user1,ou=People,dc=myhost,dc=net" read by dn="uid=user3,ou=People,dc=myhost,dc=net" write by dn="uid=user2,ou=People,dc=myhost,dc=net" write by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by * search
Can you bind with sssd user and its password via an LDAP search command with or without this setting? You should be able to because when you remove the line sssd would authenticate as itself and thus self rules would apply. If this is possible that means that your password is OK and the problem is in SSSD. If it failes this means that your password for SSSD user is not correct (may be it requires change).
Dealing with OpenLDAP ACLs is rather off-topic here. But I feel it's appropriate to point to this FAQ entry:
http://www.openldap.org/faq/data/cache/320.html
Hint: Even sssd does not have to read its own password hash.
You can safely omit this line
by anonymous auth
because there's already this last line
by * auth
More details in the OpenLDAP Faq-O-Matic and slapd.access(5). Feel free to ask OpenLDAP ACL questions on the openldap-technical mailing list.
And yes, try to test by simulating with ldapsearch like Dmitri suggested.
Ciao, Michael.
Dmitri Pal wrote:
On 06/09/2014 01:56 PM, Robert Zmijan wrote:
OK, I understand why it should not be able to read passwords. However, under 'access to attrs=userPassword' in my slapd.conf if I comment out the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd cannot establish a successful bind. In consequence I cannot login any user in. What is the best way to allow sssd to read its own password but not allow to access to others' passwords?
Below my slapd.conf
access to dn="cn=subschema" by * read
access to attrs=userPassword by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by self write by anonymous auth by * auth
access to attrs=sshPublicKey by dn="uid=root,ou=People,dc=myhost,dc=net" write by self write by * read
access to * by dn="cn=user1,ou=People,dc=myhost,dc=net" read by dn="uid=user3,ou=People,dc=myhost,dc=net" write by dn="uid=user2,ou=People,dc=myhost,dc=net" write by dn="uid=root,ou=People,dc=myhost,dc=net" write by dn="userid=sssd,ou=People,dc=myhost,dc=net" read by * search
Can you bind with sssd user and its password via an LDAP search command with or without this setting? You should be able to because when you remove the line sssd would authenticate as itself and thus self rules would apply. If this is possible that means that your password is OK and the problem is in SSSD. If it failes this means that your password for SSSD user is not correct (may be it requires change).
Dealing with OpenLDAP ACLs is rather off-topic here. But I feel it's appropriate to point to this FAQ entry:
http://www.openldap.org/faq/data/cache/320.html
Hint: Even sssd does not have to read its own password hash.
You can safely omit this line
by anonymous auth
because there's already this last line
by * auth
More details in the OpenLDAP Faq-O-Matic and slapd.access(5). Feel free to ask OpenLDAP ACL questions on the openldap-technical mailing list.
And yes, try to test by simulating with ldapsearch like Dmitri suggested.
Ciao, Michael.
Thanks Michael and Dmitri I tested two cases:
1) I commented out under 'access to attrs=userPassword' the entry 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read'
and did
ldapsearch -LLL -ZZ -h 127.0.0.1 -D userid=sssd,ou=People,dc=myhost,dc=net -w mysssdpasswd -b userid=sssd,ou=people,dc=myhost,dc=net
result: ldap_bind: Invalid credentials (49)
when the same line is not commented the search is a success.
It is most likely that i missed something in ldap configuration. SSSD has clearly nothing to do here.
I'll search for solutions on the ldap faq/groups
Cheers Robert
sssd-users@lists.fedorahosted.org