Hi,
I have a server running ApacheDS with both SSL and TLS enabled with a valid keystore. It allows me to connect via other ldap clients on both SSL and StartTLS and I’m able to use Kerberos from the client machine.
However, when I configure sssd on a client machine to use ldap and use the ApacheDS as it’s provider, it fails with the message (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): domain: AUTOMATON.UK (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): user: aaron.jenkins (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): service: login (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): tty: /dev/pts/15 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): ruser: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): rhost: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): priv: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): cli_pid: 9586 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_resolve_server_process] (0x0200): Found address for server ds.automaton.uk: [10.211.55.27] TTL 7200 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [(unknown error code)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_set_port_status] (0x0100): Marking port 10389 of server 'ds.automaton.uk' as 'not working' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sending result [9][AUTOMATON.UK] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sent result [9][AUTOMATON.UK]
My sssd configuration is as follows:
[sssd] config_file_version = 2 services = nss, pam domains = AUTOMATON.UK debug_level = 5
[domain/AUTOMATON.UK] debug_level = 5 cache_credentials = true
id_provider = ldap auth_provider = ldap
ldap_uri = ldap://ds.automaton.uk:10389 ldap_search_base = dc=automaton,dc=uk chpass_provider = ldap entry_cache_timeout = 600 ldap_network_timeout = 2
The search base and the uri is correct as it works with other things. Do you guys have any idea what could be going wrong?
On Fri, Nov 14, 2014 at 03:27:39AM +0000, Aaron Jenkins wrote:
Hi,
I have a server running ApacheDS with both SSL and TLS enabled with a valid keystore. It allows me to connect via other ldap clients on both SSL and StartTLS and I’m able to use Kerberos from the client machine.
However, when I configure sssd on a client machine to use ldap and use the ApacheDS as it’s provider, it fails with the message (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): domain: AUTOMATON.UK (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): user: aaron.jenkins (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): service: login (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): tty: /dev/pts/15 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): ruser: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): rhost: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): priv: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): cli_pid: 9586 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_resolve_server_process] (0x0200): Found address for server ds.automaton.uk: [10.211.55.27] TTL 7200 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [(unknown error code)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_set_port_status] (0x0100): Marking port 10389 of server 'ds.automaton.uk' as 'not working' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sending result [9][AUTOMATON.UK] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sent result [9][AUTOMATON.UK]
My sssd configuration is as follows:
[sssd] config_file_version = 2 services = nss, pam domains = AUTOMATON.UK debug_level = 5
[domain/AUTOMATON.UK] debug_level = 5 cache_credentials = true
id_provider = ldap auth_provider = ldap
ldap_uri = ldap://ds.automaton.uk:10389 ldap_search_base = dc=automaton,dc=uk chpass_provider = ldap entry_cache_timeout = 600 ldap_network_timeout = 2
The search base and the uri is correct as it works with other things. Do you guys have any idea what could be going wrong?
SSSD uses libldap under the hood, so you should get the same results as with ldapsearch -ZZ -- have you tried ldapsearch?
On Fri, Nov 14, 2014 at 03:27:39AM +0000, Aaron Jenkins wrote:
Hi,
I have a server running ApacheDS with both SSL and TLS enabled with a valid keystore. It allows me to connect via other ldap clients on both SSL and StartTLS and I’m able to use Kerberos from the client machine.
However, when I configure sssd on a client machine to use ldap and use the ApacheDS as it’s provider, it fails with the message (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): domain: AUTOMATON.UK (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): user: aaron.jenkins (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): service: login (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): tty: /dev/pts/15 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): ruser: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): rhost: (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): authtok type: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): newauthtok type: 0 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): priv: 1 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [pam_print_data] (0x0100): cli_pid: 9586 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_resolve_server_process] (0x0200): Found address for server ds.automaton.uk: [10.211.55.27] TTL 7200 (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_sys_connect_done] (0x0100): Executing START TLS (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null) (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [(unknown error code)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_set_port_status] (0x0100): Marking port 10389 of server 'ds.automaton.uk' as 'not working' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sending result [9][AUTOMATON.UK] (Thu Nov 13 19:19:50 2014) [sssd[be[AUTOMATON.UK]]] [be_pam_handler_callback] (0x0100): Sent result [9][AUTOMATON.UK]
My sssd configuration is as follows:
[sssd] config_file_version = 2 services = nss, pam domains = AUTOMATON.UK debug_level = 5
[domain/AUTOMATON.UK] debug_level = 5 cache_credentials = true
id_provider = ldap auth_provider = ldap
ldap_uri = ldap://ds.automaton.uk:10389 ldap_search_base = dc=automaton,dc=uk chpass_provider = ldap entry_cache_timeout = 600 ldap_network_timeout = 2
The search base and the uri is correct as it works with other things. Do you guys have any idea what could be going wrong?
By default SSSD really checks the certificate. This means that it mus be able to find the public certificate of the CA which signed the LDAP certificate. If this is in an unusual place please use ldap_tls_cacert or ldap_tls_cacertdir.
If you want to disable the strict check (NOT RECOMMENDED) for testing please use ldap_tls_reqcert. See man sssd-ldap for valid options.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org