I am trying to get SSSD to authenticate against an OpenLDAP directory. I have "debug_level" turned up to 10 but have not been able to figure out what the problem is based on the log.
On an Ubuntu 22.04 system I have found that something with TLS is broken when it tries to connect to OpenLDAP, which is why it has failed on that system -- I think this is related to the OS moving to OpenSSL 3 but have not been able to figure out how to fix it.
On this CentOS 7 system, you can see that it can find the user, can get properties from the user, but still fails the user login without, as far as I can tell, explaining why.
Hoping someone can help us get to the bottom of this.
Thanks.
[sssd]
services = nss, pam
config_file_version = 2
domains = default
certificate_verification = no_verification
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
debug_level = 10
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = ou=users,dc=clab,dc=lab
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_default_bind_dn = cn=admin,dc=clab,dc=lab
ldap_default_authtok = definitelyverysecurepassword
ldap_tls_reqcert = allow
ldap_tls_cacert = /usr/local/share/ca-certificates/mycacert.crt
ldap_tls_cacertdir = /usr/local/share/ca-certificates
ldap_tls_cert = /etc/ldap/ldapserver00_slapd_cert.pem
certificate_verification = no_verification
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
override_homedir = /home/%U
override_shell = /bin/bash
ldap_user_name = uid
auto_private_groups = true
sudo_provider = none
ldap_account_expire_policy = nds
ldap_passwd_policy = shadow