On Mon, Nov 07, 2016 at 05:05:48PM -0000, m.wandel(a)t-online.de wrote:
Hey,
i"m strugglin a bit with my sssd configuration. We want to use local accounts (users
and groups) and as authentication should be the ldap from the windows AD used. My
current configuration throws some errors that i can't understand.
---------- sssd.conf ------------
[sssd]
config_file_version = 2
services = pam, nss
domains = testad
[nss]
[pam]
[domain/testad]
id_provider = proxy
proxy_lib_name = files
auth_provider = ldap
ldap_schema = AD
ldap_default_bind_dn = cn=administrator,cn=users,dc=example,dc=com
ldap_default_authtok=XXXXXXXXXXXX
ldap_uri = ldaps://192.168.122.222:3269/
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
----------- sssd_testad.log ---------------------
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_search_user_next_base] (0x04
00): Searching for users with base [dc=example,dc=com]
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_ext_step] (0x040
0): calling ldap_search_ext with [(&(sAMAccountName=testnutzer1)(objectclass=use
r))][dc=example,dc=com].
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, com
ment: In order to perform this operation a successful bind must be completed on
the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [sdap_get_generic_op_finished] (0x
0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID
-0C0906E8, comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, v1db1
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [generic_ext_search_handler] (0x00
40): sdap_get_generic_ext_recv failed [5]: Eingabe-/Ausgabefehler
(Mon Nov 7 16:29:45 2016) [sssd[be[testad]]] [get_user_dn_done] (0x0040): Faile
d to retrieve users
Every tip is welcome, i"m not sure if it is possible to use this combination of id /
auth provider.
I think you found a gap in the LDAP auth provider. Typically when the
LDAP auth provider is used with the LDAP id provider the id provider
will create the connection to the LDAP server and does the authenticate
bind (with ldap_default_bind_dn and ldap_default_authtok or other
credentials). The auth provider will use this connection to find the DN
of the user which wants to authentication and then tries to bind as the
user.
In your case the LDAP id provider is missing and the LDAP auth provider
only creates the connection to the LDAP server but does not bind with
ldap_default_bind_dn and ldap_default_authtok. The works a long as
authentication is not required on the LDAP server side. This is
typically the case for OpenLDAP or 389ds servers where basic user data
can be looked up anonymously. But AD requires and authentication and
hence the search for the user DN fails in your setup.
If you don't mind I would like to ask you to open a ticket at
https://fedorahosted.org/sssd/newticket about this issue.
bye,
Sumit
>
>
> best regards
>
> Michael Wandel
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org