On Tue, 2012-02-07 at 18:06 +0100, Marco Pizzoli wrote:
On Tue, Feb 7, 2012 at 5:38 PM, Stephen Gallagher sgallagh@redhat.com wrote: On Tue, 2012-02-07 at 17:28 +0100, Marco Pizzoli wrote: > > > According to that, your LDAP server doesn't support any > authentication > except GSSAPI (probably Kerberos). Obviously ldapsearch still > works, so > it looks to me like the LDAP server isn't properly reporting > what it > reports. > > Please open a bug. SSSD should be assuming that we always > support > SIMPLE. > > Done. https://fedorahosted.org/sssd/ticket/1180 > > Please, could you tell me if this problem will be targeted for 1.7.x > or 1.8 release?
Actually, on further investigation, this shouldn't be an issue. Can you confirm that you are NOT setting ldap_sasl_mech in your sssd.conf? It's not listed in your first email, but did you maybe leave it out?
It seems you found my fault :-( I surely overlooked the meaning of the word "none" on the man page. This is it: ldap_sasl_mech = none
The code that checks for this should be skipped if ldap_sasl_mech is unset. Would you mind checking your startup logs at level 6 to see what value is being reported for ldap_sasl_mech?
Done. As already reported: ldap_sasl_mech = none
I commented that directive, restarted sssd and now I see it working and obtaining my groups from the LDAP server. I still don't see my users and groups, but this is another story.
Thanks a lot and apologize for the noise. Marco
Ah, yeah. That should be "not set" rather than "none".
We'll have to fix that in 1.9 (we're past string freeze for 1.8)