On Tue, Feb 7, 2012 at 5:38 PM, Stephen Gallagher <sgallagh@redhat.com> wrote:
On Tue, 2012-02-07 at 17:28 +0100, Marco Pizzoli wrote:
>
>
>         According to that, your LDAP server doesn't support any
>         authentication
>         except GSSAPI (probably Kerberos). Obviously ldapsearch still
>         works, so
>         it looks to me like the LDAP server isn't properly reporting
>         what it
>         reports.
>
>         Please open a bug. SSSD should be assuming that we always
>         support
>         SIMPLE.
>
> Done. https://fedorahosted.org/sssd/ticket/1180
>
> Please, could you tell me if this problem will be targeted for 1.7.x
> or 1.8 release?


Actually, on further investigation, this shouldn't be an issue. Can you
confirm that you are NOT setting ldap_sasl_mech in your sssd.conf? It's
not listed in your first email, but did you maybe leave it out?

It seems you found my fault :-( I surely overlooked the meaning of the word "none" on the man page. This is it:
ldap_sasl_mech = none

 
The code that checks for this should be skipped if ldap_sasl_mech is
unset.

Would you mind checking your startup logs at level 6 to see what value
is being reported for ldap_sasl_mech?

Done. As already reported: ldap_sasl_mech = none

I commented that directive, restarted sssd and now I see it working and obtaining my groups from the LDAP server.
I still don't see my users and groups, but this is another story.

Thanks a lot and apologize for the noise.
Marco




--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
                    Jim Morrison