ldap_sasl_mech EXTERNAL and SSL client authc
by Michael Ströder
HI!
Is it possible to use SASL/EXTERNAL when connecting to a LDAP server with
StartTLS or LDAPS using client certs?
In a project they have certs in all systems anyway (because of using puppet)
and I'd like to let the sssd instances on all the systems authenticate to the
LDAP server to restrict visibility of LDAP entries by ACL. I'd like to avoid
having to set/configure passwords for each system's sssd.
Ciao, Michael.
8 years, 8 months
sssd uid on broken ldap implementation
by Ben Morrice
Hello,
I am trying to use sssd in our environment where unfortunately we have a
broken ldap implementation with no options to fix it.
We have an openldap implementation where our 'uid' field can contain
many attributes, some containing a 'uid' and others containing
'uid@functional-unit'. Some users have in their ldap account a single
'uid@functional-unit' whereas others have 'uid' and potentially many
'uid@functional-unit'.
sssd does the right thing for most cases with multiple attributes; just
providing the first returned attribute (which is 'uid'). However I am
experiencing problems with users that have only a 'uid@functional-unit'
entry.
I want to configure sssd so that both 'uid' and 'uid@functional-unit'
are represented from sssd as 'uid'
Please see below for some examples of what i'm talking about and my
current configuration.
[~]$ getent passwd user1
user1:*:90001:20010:user1:/home/user1:/bin/bash
[~]$ getent passwd |grep user2
user2@functional-unit:*:85010:20010:user2:/home/user2@functional-unit:/bin/bash
[~]$
Note: I can't do a 'getent passwd user2' or 'getent passwd
user2@functional-unit' - neither options work.
I want to be able to 'getent passwd user2' and see no reference of the
'functional-unit'.
Current sssd config (i'm using sssd-1.9.2-129.el6.x86_64 on RHEL6);
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
override_homedir = /home/%u
allowed_shells = /bin/bash
shell_fallback = /bin/bash
[pam]
reconnection_retries = 3
[domain/default]
re_expression =
(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
debug_level = 2
enumerate = true
cache_credentials = true
use_fully_qualified_names = false
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = none
entry_cache_timeout = 5400
entry_cache_user_timeout = 1800
entry_cache_group_timeout = 5400
min_id = 1000
ldap_uri = ldap://ldap.example.com
ldap_search_base =
c=com?sub?(&(objectClass=posixAccount)(|(memberOf=group-1)(memberOf=group-2)))
krb5_realm = EXAMPLE.COM
krb5_server = example.com
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_ccachedir = /tmp
I have been trying to address this issue with various permutations of
re_expression but seem to be failing miserably. If anyone has any
suggestions it would be most appreciated!
--
Kind regards,
Ben Morrice
______________________________________________________________________
Ben Morrice | e: ben.morrice(a)epfl.ch | t: +41-21-693-9670
EPFL - Quartier de l’innovation, Bât. J, 3ème étage, CH-1015 Lausanne, SWITZERLAND
9 years, 12 months
Re: [SSSD-users] authenticating against all sub-domains in AD forest
by Taner KARAGÖL
We have similar windows AD forest:
company.com (forest root doman)
subA.company.com (subdomain)
subB.company.com (subdomain)
I am using ldap as id_provider:
id_provider = ldap
if you are using ldap as id_provider you must have 3 domain section in sssd.conf:
[sssd]
domains = company.com, subA.company.com, subB.company.com
...
[domain/company.com]
....
[domain/subA.company.com]
...
[domain/subB.company.com]
....
in short: for each domain you have to have domian section. additionaly your krb5.conf file must include all domains.
if you are using "id_provider = ad", I think only root domain section is sufficent, but I didnt try before. But in any case you have to have 3 domains in krb5.conf I think.
Taner KARAGOL
u can mail to karagol at gmail for additional information.
> > > > >
> > > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200
> > > > > > From: jhro...(a)redhat.com
> > > > > > To: sssd-users(a)lists.fedorahosted.org
> > > > > > Subject: Re: [SSSD-users] authenticating against all sub-domains in
> > > > > > AD forest
> > > > > >
> > > > > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > I am testing find a standard config for Linux authentication
> > > > > > > against Active Directory and I am testing with Centos 6. I have
> > > > > > > decided on a SSSD/Kerberos/LDAP configuration as described in
> > > > > > > RedHats "Integrating Red Hat Enterprise Linux 6 with Active
> > > > > > > Directory" section 6.3.
> > > > > > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:s...
> > > > > > >
> > > > > > > It works very well but for the one domain in our forest i.e.
> > > > > > > b.domain.org. However, users of other domains in the forest can
> > > > > > > not be authenticated. This is understandable as I have pointed
> > > > > > > all the config files at the child domains DC's, i.e.
> > > > > > > dc1.b.domain.org rather than dc1.domain.org. I have been
> > > > > > > searching for example configurations which will authenticate any
> > > > > > > user in the forest even though the Linux installation is joined
> > > > > > > to a different child domain but not found any.
> > > > > > >
> > > > > > > Scenario I would like to implement;
> > > > > > >
> > > > > > > Linux installation hostname = lin1lin1 joined to domain
> > > > > > > b.domain.orgusers from b.domain.org can login to
> > > > > > > lin1.b.doamin.orgusers from all child domains of domain.org can
> > > > > > > log into lin1.b.domain.org. for example a.domain.org,
> > > > > > > c.domain.org or z.domain.org
> > > > > > >
> > > > > > > I have attached my current config files as a reference. They work
> > > > > > > for a single domain rather than the whole forest. I suppose I am
> > > > > > > stuck whether to add each AD child domain as separate domains in
> > > > > > > SSSD and REALMS in kerberos or if I can get it to see the whole
> > > > > > > forest.
> > > > > > >
> > > > > > >
> > > > > > > Thanks for any help / pointers,
> > > > > > >
> > > > > > >
> > > > > > > Matthew
10 years
Announcing SSSD 1.9.6
by Jakub Hrozek
=== SSSD 1.9.6 ===
The SSSD team is proud to announce the release of version 1.9.6 of
the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
This is mostly a bugfix release with minor feature enhancements -- see
the changelog below for details.
RPM packages will be made available for Fedora 18 shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or
sssd-users mailing lists:
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focused primarily on bug fixing and stabilization. Only
minor features were added
* A new ignore_group_members option was added. This option can be used to
suppress downloading group members on group lookups, making the group lookups
much faster for environments that do not need to know the group members.
* A new option ldap_rfc2307_fallback_to_local_users was added. If this
option is set to true, SSSD is be able to resolve local group members of
LDAP groups.
* A new option ldap_disable_range_retrieval was added. Switching this
option to True skips large Active Directory groups that might otherwise
take a long time to download and process.
* A new option refresh_expired_interval was added. This option allows
to configure a background task that would automatically refresh entries
that are nearing their expiration time. In this release, only refreshing
netgroups is implemented.
* Multiple crasher bugs in the fast in-memory cache were fixed
* Several commits improved portability of SSSD's build system, allowing
for easier builds on non-Linux platforms
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1893
Enabling enumeration causes sssd_be process to utilize 100% of the CPU
https://fedorahosted.org/sssd/ticket/1890
SSSD doesn't display warning for last grace login.
https://fedorahosted.org/sssd/ticket/1733
[RFE] support autoconfiguring SUDO with ipa provider and compat tree
https://fedorahosted.org/sssd/ticket/1912
SUDO is not working for users from trusted AD domain
https://fedorahosted.org/sssd/ticket/1823
getgrnam / getgrgid for large user groups is too slow due to range
retrieval functionality
https://fedorahosted.org/sssd/ticket/1376
[RFE] Add support for suppressing group members
https://fedorahosted.org/sssd/ticket/1886
If previous SRV query failed, the next try might not be retried in
some cases
https://fedorahosted.org/sssd/ticket/1947
[abrt] sssd-1.10.0-4.fc19.beta1: get_server_status: Process
/usr/libexec/sssd/sssd_be was killed by signal 11 (SIGSEGV)
https://fedorahosted.org/sssd/ticket/1806
sssd_be goes to 99% CPU and causes significant login delays when client
is under load
https://fedorahosted.org/sssd/ticket/1693
sudoHost mismatch response is incorrect sometimes
https://fedorahosted.org/sssd/ticket/1933
sssd fails to resolve hosts/services once the network is up
https://fedorahosted.org/sssd/ticket/1846
cyclic group memberships may not work depending on order of operations
https://fedorahosted.org/sssd/ticket/2031
sssd fails instead of skipping when a sudo ldap filter returns entries
with multiple CNs
https://fedorahosted.org/sssd/ticket/1932
sssd_be crashing with nested ldap groups contain a dangling member
https://fedorahosted.org/sssd/ticket/1759
sss_cache -N/-n should invalidate the hash table in sssd_nss
https://fedorahosted.org/sssd/ticket/2005
SSSD filter out ldap user/group if uid/gid is zero
https://fedorahosted.org/sssd/ticket/1980
SSSD service randomly dies
https://fedorahosted.org/sssd/ticket/1986
SYSV init script should use @sbindir@
https://fedorahosted.org/sssd/ticket/1959
Enhance sssd init script so that it would source a configuration
https://fedorahosted.org/sssd/ticket/1966
SSSD failover doesn't work if the first DNS server in resolv.conf
is unavailable
https://fedorahosted.org/sssd/ticket/1899
resolv-tests failing with memory leak
https://fedorahosted.org/sssd/ticket/2018
sssd_nss terminated with segmentation fault
https://fedorahosted.org/sssd/ticket/1891
unite periodic refresh API
https://fedorahosted.org/sssd/ticket/1713
[RFE] Add a task to the SSSD to periodically refresh cached entries
https://fedorahosted.org/sssd/ticket/2029
passwd returns "Authentication token manipulation error" when entering
wrong current password
https://fedorahosted.org/sssd/ticket/1827
Cannot change expired password of an AD user
https://fedorahosted.org/sssd/ticket/1825
Invalid assignment to enum
https://fedorahosted.org/sssd/ticket/2059
sss_packet_grow: wrong use of module to pad data
https://fedorahosted.org/sssd/ticket/2049
sssd_nss core dumps under load
https://fedorahosted.org/sssd/ticket/2057
Data provider endianess bug
https://fedorahosted.org/sssd/ticket/1992
AD dyndns update crashed after attempting to update a standalone DNS server
https://fedorahosted.org/sssd/ticket/1892
In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name
failed' error when AD user tries to login via ipa client.
https://fedorahosted.org/sssd/ticket/2126
sssd_be segfault when authenticating against active directory
== Detailed Changelog ==
Jakub Hrozek (10):
* Bump the version for the 1.9.6 release
* Only try to relink ghost users if we're not enumerating
* Display the last grace warning, too
* IPA: Do not download or store the member attribute of host groups
* LDAP: Fix crash when processing nested groups
* MAN: Clarify the min_id/max_id limits further
* Set default DNS resolution timeout to 6 seconds.
* DP: Use the correct type for DBus boolean
* Make IPA SELinux provider aware of subdomain users
* Updating Transifex URL
* Updating translations for the 1.9.6 release
Lukas Slebodnik (31):
* SUDO: IPA provider
* Removing unused functions.
* Adding option to disable retrieving large AD groups.
* Every time use permissive control in function memberof_mod.
* NSS: allow removing entries from netgroup hash table
* NSS: Clear cached netgroups if a request comes in from the sss_cache
* Do not call sss_cmd_done in function check_cache.
* Handle too many results from getnetgr.
* Removing unused parameter type from sudosrv_get_sudorules_query_cache()
* mmap_cache: Skip records which doesn't have same hash
* mmap_cache: Use stricter check for hash keys.
* UTIL: Create new wraper header file sss_endian.h
* CLIENT: Fix non gnu sss_strnlen implementation
* MONITOR: Move function declaration out of conditional build
* UTIL: Explicitly include header file sys/socket.h
* MEMBEROF: Remove temporary workaround
* IPA_HBAC: Explicitelly include header file time.h
* CONFIGURE: Get rid of bashism
* Include sys/types.h for types id_t and uid_t
* UTIL: Use standard maximum value of type size_t
* mmap_cache: Do not remove record from chain twice
* AUTOTOOLS: Add -LLIBDIR to PYTHON_LIBS
* AUTOTOOLS: Add missing AC_MSG_RESULT
* AUTOMAKE: Use portable way to link with dlopen
* AUTOMAKE: Use portable way to link with gettext
* AUTOTOOLS: Add directories for searching ldap headers and libs
* AUTOTOOLS: Refactor unicode library detection
* AUTOTOOLS: add check for type intptr_t
* AUTOTOOLS: Use pkg-config to detect libraries.
* AUTOTOOLS: More robust detection of inotify.
* AUTOTOOLS: Fix warnings: macro xyz not found in library
Michal Zidek (13):
* Always set port status to neutral when resetting service.
* Lower timeout to contact DNS server
* resolv-tests failing with memory leak
* mmap_cache: Check if slot and name_ptr are not invalid.
* ldap, krb5: More descriptive msg on chpass failure.
* mmap_cache: Check data->name value in client code
* mmap_cache: Remove triple checks in client code.
* mmap_cache: Off by one error.
* mmap_cache: Use better checks for corrupted mc in responder
* mmap_cache: Store corrupted mmap cache before reset
* Rename _SSS_MC_SPECIAL
* man sssd: Add note about SSS_NSS_USE_MEMCACHE
* Check slot validity before MC_SLOT_TO_PTR.
Paul B. Henson (1):
* Add ignore_group_members option.
Pavel Březina (16):
* sudo responder: use fully qualified name for subdomain users
* failover: set state->out when meta server remains in SRV_RESOLVE_ERROR
* collapse_srv_lookup may free the server, make it clear from the API
* failover: if expanded server is marked as neutral, invoke srv collapse
* sudo responder: use different callback for oob refresh
* sudo: skip rule on error instead of failing completely
* sudo: print better debug message when a rule has multiple cn values
* init script: source /etc/sysconfig/sssd
* back end: periodic task API
* back end: periodical refresh of expired records API
* back end: add refresh expired records periodic task
* providers: refresh expired netgroups
* print hint about password complexity when new password is rejected
* sss_packet_grow: correctly pad packet length to 512B
* SIGCHLD handler: do not call callback when pvt data was freed
* is_dn(): free dn
Simo Sorce (1):
* Add a commit template
Stephen Gallagher (1):
* Configure SYSV init scripts properly
Sumit Bose (2):
* sdap_get_generic_ext_send: check if we a re still connected
* be_spy_create: free be_req and not the long living data
10 years
SSSD and sudo on Ubuntu 12.04
by Michael
Ok,
This started out as a request for help, but since I figured out the
issue I figure I will post the solution instead
Issue:
have SSSD set up for authentication via LDAP on Ubuntu 12.04, want to
use it for SUDO as well instead of sudo-ldap as this will allow caching
of sudo rules when not connected to ldap server.
I followed every guide, but nothing I did allowed sudo to even attempt
using sssd for sudo rules.
Actual Problem:
In the end, the issue is that sudo binary for 12.04 (sudo 1.8.3p2) does
NOT include sssd support. When I went to rebuild the DEB from Ubuntu
source DEB, I realized that 1.8.3 does not have SSSD support at all.
Using 1.8.8 binary from sudo.ws did not help either as while 1.8.8 does
support sssd, the Ubuntu DEB seems to be compiled without it (they
mirror Ubuntu's own flags)
Solution:
So the solution ended up to download sudo 1.8.8 source, and re-compile a
DEB with following options (they use a handy "mkpkg" to generate packages):
Step 1(optional):
For my own sanity I have added a release tag so that I know when my own
package is used (there is probably a better way, but this was fast)
in sudo.pp:44
- pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`"
+ pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) +
1`-sssd"
Step 2: Install pre-requisites for building sudo.
I started with "apt-get build-dep sudo", and at the very least added
libselinux-dev. I am not sure exact pre-reqs, so you may need to read up
on sudo or keep trying to build until all pre-reqs are there
Step 3: Build the actual DEB
I chose to build
./mkpkg --flavor=ldap --with-sssd --with-sssd-lib=/usr/lib/ARCH
/usr/lib/ARCH is path to lib directory containing your libsss_sudo.so -
in my case it is /usr/lib/x86_64-linux-gnu. There is probably a proper
multiarch way to do this, but every time I tried it failed and I did not
have time to research it.
If all your pre-reqs are in order, you will end up with a deb package.
You can then install it manually with dpkg -i or sign it and stick it
into your own apt repo.
Step 4: Runtime pre-reqs
When installing, I noticed that "libsss-sudo" was not instralled, so I
needed to install it manually
Step 5: After this, standard sssd-sudo instructions worked fine
Hope this helps the few people silly enough to try this,
-M
10 years
sssd performance problem
by Sami K
Hello,
We have been lately having big problems with sssd caching. On our ssh
servers, (each with ~100-200 users) login may take several minutes as the
sssd_be -process uses 100% cpu time and sssd_be -process may be in this
state for days. Clearing the cache and restarting sssd during the day
usually helps and then everything works for few days, sometimes only hours.
It is not clear what triggers this behaviour, maybe some some combination
of lots of users and cache update at the same time.
The culprit seems to have been addition of few big groups lately to ldap
for our access policy worsening the situation and sssd-performance.
On test server simple id command and empty cache with same setttings as in
production takes:
[root@testsk tmp]# time id testusr
uid=1143(testusr) gid=100(users)
groups=100(users),3318(roam),3102(nixe),1000(staff1),3785(wl-staff1),3119(system),3402(fileaccess),3377(vpn1),120(grp2),3123(devel),1001(devel3),3378(vpn2),3266(usr),3386(access3)
real 0m28.689s
user 0m0.006s
sys 0m0.007s
We have currently several groups with around 17 000 and 3000 users so this
id query creates over 100k ghost users to cache:
[root@testsk tmp]# ldbsearch -H /var/lib/sss/db/cache_TESTAUTH.ldb |grep
ghost |wc -l
asq: Unable to register control with rootdse!
105196
Indeed, with full debug (time of id-command is then over 1 minute) all I
see in the logs ldap backend mostly adding ghost users to cache as it adds
information from _all_ groups related to that uid. As backend is not
respondind to monitor pings fast enough, monitor tries to kill it and
restart. Same happens also in production servers. I have already extended
timeout to 60 but it seems not to be enough.
This latter case seems to be relevant especially when we started to receive
complaints from some people that httpd authentication was not working.
Apache error log shows:
[Tue Oct 29 12:21:36 2013] [error] [client xxx.xx.xx.xx] GROUP: testuser
not in required group(s).
when in fact user is in the required group but it seems that sssd just
fails to respond fast enough. This is (PAM, AuthType Basic, Require group
testgroup) kind of authentication.
This is on RHEL6.4, sssd-1.9.2-82.10.el6_4.x86_64. Configured services
nss, ldap:
sanitized config:
------------------------
[sssd]
config_file_version = 2
debug_level = 1
reconnection_retries = 3
timeout = 60
services = nss
domains = TESTAUTH
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
debug_level = 1
[domain/TESTAUTH]
debug_level = 1
ldap_purge_cache_timeout = 3600
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://authserv.test
ldap_search_base = dc=test
ldap_user_search_base = ou=People,dc=test
ldap_group_search_base = ou=Group,dc=test
So in the end, any ideas or suggestions how to improve the situation? Of
course I'm willing to debug/test this more if needed as the current
situation is almost disastrous.
Cheers,
- Sami
ps. Quick test on a Fedora 19 and sssd-1.11.1-4.fc19 made the same queries
in 7 seconds or less so apparently some progress in performance has been
done. Any idea when would RHEL6 sssd be rebased? I tried to compile latest
git-version on RHEL6 but I couldn't find all required components (for ex.
configure: error: you must have the cifsidmap header installed to build the
idmap plugin).
10 years
SSSD with id_provider ldap and auth_provider krb5-ad
by Pieter Baele
Hello everyone,
I made a configuration where I use Active Directory Kerberos as
authentication source,
but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or
ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN]
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=xyz
id_provider = ldap
access_provider = ldap
ldap_access_filter = isMemberOf=zyx
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xyz
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=xyz
ldap_netgroup_search_base = ou=xyz
ldap_group_name = uniqueMember
entry_cache_netgroup_timeout = 300
entry_cache_sudo_timeout = 300
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = True
ldap_krb5_keytab = /etc/krb5.keytab
krb5_keytab = /etc/krb5.keytab
krb5_realm = MSNET.RAILB.BE
krb5_ccachedir = /tmp
krb5_validate = True
krb5_auth_timeout = 15
ldap_sasl_authid = HOSTNAME$(a)MSNET.RAILB.BE
ldap_krb5_init_creds = true
debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my
LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of
uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty
to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
10 years
AD provider uses wrong user attribute?
by Ondrej Valousek
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307).
Is this intentional or a bug?
Thanks,
Ondrej
10 years, 1 month
