# /etc/nsswitch.conf
passwd: compat sss ldap
group: compat sss ldap
shadow: compat ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis sss
sudoers: files sss
my pam file
# here are the per-package modules (the "Primary" block)
auth [success=1 default=ignore] pam_sss.so
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
/etc/sssd/sssd.conf
[domain/default]
debug_level=0xFFF0
autofs_provider = ldap
ldap_default_bind_dn = uid=myuid,ou=Auth,dc=mydc1,dc=mydc2
ldap_default_authtok_type = password
ldap_default_authtok = mysecret
ldap_schema = rfc2307bis
krb5_realm = #
ldap_search_base = dc=mydc1,dc=mydc2
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_tls_reqcert=demand
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = default
[pam]
[nss]
[sudo]
[autofs]
[ssh]
[pac]
As said earlier, I tried with those 2 commands to simulate the lost of the ldap server :
iptables -A OUTPUT -p tcp --dport 636 -j REJECT
iptables -A OUTPUT -p tcp --dport 636 -j DROP
Not better with REJECT
never tried start_tls. We currently use LDAP over/TLS (using pam_ldap) so I'm trying with the same configuration
On (14/03/16 10:54), Cyril Scetbon wrote:The full log can be found at http://pastebin.com/pk5bD2ks
We can see that the ldap is marked as offline :
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) (Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_mark_offline] (0x2000): Going offline!
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
Then I see :
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [sdap_pam_auth_handler] (0x0100): Backend is marked offline, retry later!
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Backend returned: (1, 9, <NULL>) [Provider is Offline (Authentication service cannot retrieve authentication info)]
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sending result [9][default]
(Mon Mar 14 15:40:06 2016) [sssd[be[default]]] [be_pam_handler_callback] (0x0100): Sent result [9][default]
(Mon Mar 14 15:40:09 2016) [sssd[be[default]]] [sbus_dispatch] (0x4000): dbus conn: 0x1c719d0
(Mon Mar 14 15:40:09 2016) [sssd[be[default]]] [sbus_dispatch] (0x4000): Dispatching.
So I was expecting to get an ok from pam, as we use cache_credentials = true
As I said, the only thing I did was drop my network paquets sent to port 636 to simulate a dead ldap. It takes also ~36 seconds for the connection to fail because of it
Could you try reject instead of drop?Is there the same problem with ldap + start_tls?LS_______________________________________________sssd-users mailing listsssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.orghttps://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org