I am running Centos 6.5 and installed the latest SSSD from the IPA repo, 1.11.90.
I've got it working to the point where I can run the 'id' command and it will return an LDAP user. When I try to authenticate using SSH however I just get "Permission denied". The SSSD log shows the bind is invalid, as if I'm using a bad password or bind DN.
(Tue Mar 4 15:20:29 2014) [sssd[be[LDAP]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set
On my LDAP server I see that it is returning err=49.
[04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - fd=520 slot=520 LDAPS connection from 10.50.2.35 to 10.50.2.10 [04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - SSL 128-bit RC4 [04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - BIND dn="uid=ACCOUNT,ou=People,dc=here,dc=com" method=128 version=3 [04/Mar/2014:15:22:52 -0600] conn=2287156 op=0 msgId=1 - RESULT err=49 tag=97 nentries=0 etime=0 [04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=2 - UNBIND [04/Mar/2014:15:22:52 -0600] conn=2287156 op=1 msgId=-1 - closing - U1 [04/Mar/2014:15:22:52 -0600] conn=2287156 op=-1 msgId=-1 - closed.
I've tested over and over and I know I'm using the correct password. Tried multiple accounts all with their correct passwords and get the same result.
I'm not using TLS, just LDAPS on port 636. Could it be that SSSD is using RC4 encryption and our LDAP server doesn't support RC4? Just not sure where else to go with this.
This is my SSSD config.
[domain/LDAP]
auth_provider = ldap cache_credentials = True chpass_provider = ldap entry_cache_timeout = 600 enumerate = false
id_provider = ldap
ldap_id_use_start_tls = False
ldap_schema = rfc2307bis ldap_search_base = dc=here,dc=com
ldap_user_search_base = ou=people,dc=here,dc=com ldap_user_object_class = myObjClass ldap_user_name = uid
ldap_group_seach_base = ou=groups,dc=here,dc=com ldap_group_object_class = groupofuniquenames ldap_page_size = 100
ldap_uri = ldaps://ldap.here.com:636 debug_level = 9
ldap_default_bind_dn = cn=BINDUSER,ou=applications,dc=here,dc=com ldap_default_authtok = XXXXXXXX
ldap_network_timeout = 3
ldap_tls_cacertdir = /etc/openclad/cacert ldap_tls_reqcert = never
ldap_access_filter = (department=My Department)
[sssd] config_file_version = 2 services = nss, pam domains = LDAP
[nss] filter_users = root,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
sssd-users@lists.fedorahosted.org