Hi,

I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.

On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.

On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.

I have pasted our sssd.conf below, and here is a link to my Nextcloud instance where I am hosting the relevant portion of the log (it was too big for me to be able to paste it into Pastebin): https://checkwithscience.com/index.php/s/e7mXKAzcq87q6HD

Hoping someone can help us get to the bottom of this.

Thanks.

Here is our sssd.conf:

[sssd]
services = nss, pam
config_file_version = 2
domains = default
certificate_verification = no_verification

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
debug_level = 10
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = ou=users,dc=clab,dc=lab
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldaps://10.8.8.60:636
ldap_default_bind_dn = cn=admin,dc=clab,dc=lab
ldap_default_authtok = definitelyverysecurepassword
ldap_tls_reqcert = allow
ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt
ldap_tls_cacertdir = /usr/local/share/ca-certificates
ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem
certificate_verification = no_verification
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
override_homedir = /home/%U
override_shell = /bin/bash
ldap_user_name = uid
auto_private_groups = true
sudo_provider = none
ldap_account_expire_policy = nds
ldap_passwd_policy = shadow