Problem Authenticating with Sun DS 5.2 - sssd-users - Fedora mailing-lists

4 Mar 2014


      I am running Centos 6.5 and installed the latest SSSD from the IPA repo, 1.11.90.
I've got it working to the point where I can run the 'id' command and it will return an LDAP user. When I try to authenticate using SSH however I just get "Permission denied". The SSSD log shows the bind is invalid, as if I'm using a bad password or bind DN.
(Tue Mar 4 15:20:29 2014) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set
On my LDAP server I see that it is returning err=49.
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - fd=520 slot=520 LDAPS connection from 10.50.2.35 to 10.50.2.10 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - SSL 128-bit RC4 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - BIND dn="uid=ACCOUNT,ou=People,dc=here,dc=com" method=128 version=3 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=2 - UNBIND 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=-1 - closing - U1 
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - closed.
I've tested over and over and I know I'm using the correct password. Tried multiple accounts all with their correct passwords and get the same result.
I'm not using TLS, just LDAPS on port 636. Could it be that SSSD is using RC4 encryption and our LDAP server doesn't support RC4? Just not sure where else to go with this.
This is my SSSD config.
[domain/LDAP]
auth_provider = ldap 
cache_credentials = True 
chpass_provider = ldap 
entry_cache_timeout = 600 
enumerate = false
id_provider = ldap
ldap_id_use_start_tls = False
ldap_schema = rfc2307bis 
ldap_search_base = dc=here,dc=com
ldap_user_search_base = ou=people,dc=here,dc=com 
ldap_user_object_class = myObjClass 
ldap_user_name = uid
ldap_group_seach_base = ou=groups,dc=here,dc=com 
ldap_group_object_class = groupofuniquenames 
ldap_page_size = 100
ldap_uri = ldaps://ldap.here.com:636 
debug_level = 9
ldap_default_bind_dn = cn=BINDUSER,ou=applications,dc=here,dc=com 
ldap_default_authtok = XXXXXXXX
ldap_network_timeout = 3
ldap_tls_cacertdir = /etc/openclad/cacert 
ldap_tls_reqcert = never
ldap_access_filter = (department=My Department)
[sssd] 
config_file_version = 2 
services = nss, pam 
domains = LDAP
[nss] 
filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]