Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
Hi,
I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD
Hi,
there is no authentication attempt covered in the log file. Are you sure pam_sss.so is included in your PAM configuration and called for the specific user?
bye, Sumit
Hoping someone can help us get to the bottom of this.
Thanks.
Here is our sssd.conf:
[sssd] services = nss, pam config_file_version = 2 domains = default certificate_verification = no_verification
[nss]
[pam] offline_credentials_expiration = 60
[domain/default] debug_level = 10 ldap_id_use_start_tls = False cache_credentials = True ldap_search_base = ou=users,dc=clab,dc=lab id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldaps://10.8.8.60:636 ldap_default_bind_dn = cn=admin,dc=clab,dc=lab ldap_default_authtok = definitelyverysecurepassword ldap_tls_reqcert = allow ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt ldap_tls_cacertdir = /usr/local/share/ca-certificates ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem certificate_verification = no_verification ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) override_homedir = /home/%U override_shell = /bin/bash ldap_user_name = uid auto_private_groups = true sudo_provider = none ldap_account_expire_policy = nds ldap_passwd_policy = shadow
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue