On Thu, Aug 25, 2016 at 06:09:59PM -0000, rpoyner@wisc.edu wrote:
Lukas,
Below is a log excerpt from a failed authentication. It looks like sssd tries to bind to the ldap server with the given username, which fails. I'll ask my ldap admin, but I think the openldap server is set up to transfer shadow data over tls without the need for a username/password to bind. I thought the bind user/password was an AD thing. I'm sure I never needed a bind user when authenticating to this server with nslcd.
No, this is how an LDAP authentication works. We ask the user to try to read their own entry (in your case uid=myuser,ou=People,o=ENGR) binding as itself (again, uid=myuser,ou=People,o=ENGR) authenticating with their password.
Does an equivalent of the following work: ldapsearch -H ldap.edu -b uid=myuser,ou=People,o=ENGR -s base -W ?
This error: (Thu Aug 25 12:44:05 2016) [sssd[be[default]]] [simple_bind_done] (0x0400): Bind result: Invalid credentials(49), no errmsg set normally really means wrong password.
about ssh not working and su working - I really have no idea about BSD, but on Linux there is a PAM module pam_rootok.so that permits the authentication as long as it's requested by root, so maybe BSD has something similar?