Hi all,
I have a 389ds server that uses a certmap to map client certificates to a valid bind, and this works fine.
I am struggling to get sssd on ubuntu trusty to use a client certificate to talk to this server, and I don't know what I'm doing wrong. My /etc/sssd/sssd.conf looks like below.
[sssd] config_file_version = 2 domains = LDAP services = nss, pam
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
# A native LDAP domain [domain/LDAP] enumerate = true cache_credentials = TRUE debug_level = 9
id_provider = ldap auth_provider = ldap chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com:636 ldap_user_search_base = dc=example,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/root-ca.crt ldap_tls_cert = /etc/ssl/certs/my.crt ldap_tls_key = /etc/ssl/private/my.key ldap_sasl_mech = EXTERNAL
When sssd attempts to connect to the LDAP server, first it connects and makes an anonymous bind, which the server refuses. sssd then tries to make a SASL EXTERNAL bind, which fails claiming external isn't a valid bind method.
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server! (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1458231814 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: EXTERNAL, user: (null) (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-6)[Unknown authentication method] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: ]
From what I can see, there is no attempt to use the client certificate at all.
Can anyone point out where I am going wrong?
Regards, Graham --
On Thu, Mar 17, 2016 at 05:04:52PM -0000, minfrin@sharp.fm wrote:
Hi all,
I have a 389ds server that uses a certmap to map client certificates to a valid bind, and this works fine.
I am struggling to get sssd on ubuntu trusty to use a client certificate to talk to this server, and I don't know what I'm doing wrong. My /etc/sssd/sssd.conf looks like below.
[sssd] config_file_version = 2 domains = LDAP services = nss, pam
[nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
[pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
# A native LDAP domain [domain/LDAP] enumerate = true cache_credentials = TRUE debug_level = 9
id_provider = ldap auth_provider = ldap chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com:636 ldap_user_search_base = dc=example,dc=com tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/root-ca.crt ldap_tls_cert = /etc/ssl/certs/my.crt ldap_tls_key = /etc/ssl/private/my.key ldap_sasl_mech = EXTERNAL
When sssd attempts to connect to the LDAP server, first it connects and makes an anonymous bind, which the server refuses. sssd then tries to make a SASL EXTERNAL bind, which fails claiming external isn't a valid bind method.
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search result: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed. (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server! (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the connection will expire at 1458231814 (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: EXTERNAL, user: (null) (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0020): ldap_sasl_bind failed (-6)[Unknown authentication method] (Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-4): no mechanism available: ]
From what I can see, there is no attempt to use the client certificate at all.
Can anyone point out where I am going wrong?
Does it make a difference if you use:
ldap_uri = ldap://ldap.example.com ldap_id_use_start_tls = true
Does ldapsearch on the command line work?
LDAPTLS_CERT=/etc/ssl/certs/my.crt LDAPTLS_KEY=/etc/ssl/private/my.key ldapsearch -H ldap://ldap.example.com -ZZ -Y EXTERNL -b '' -s base
LDAPTLS_CERT=/etc/ssl/certs/my.crt LDAPTLS_KEY=/etc/ssl/private/my.key ldapsearch -H ldaps://ldap.example.com -Y EXTERNAL -b '' -s base
bye, Sumit
Regards, Graham -- _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org