On Fri, Nov 13, 2015 at 06:51:07AM +0100, Lukas Slebodnik wrote:
On (12/11/15 13:51), aaron wang wrote:
>Hi all,
>
>
>I'm configuring SSSD on a system to authenticate users against the LDAP
>server.
>
>LDAP server side:
>there are basically three options for the anonymous binding flag, 0 for
>completely disallow anonymous binding, 1 allows anonymous binding, 2 allows
>anonymous bind but allows only search operations on root DSE entry for
>anonymous users
>
>SSSD side:
>I'm providing the ldap_default_bind_dn and ldap_default_bind_authtok for
>the binding.
>
>Tests:
>1) if admin changes the anonymous binding flag to "COMPLETELY DISALLOW" or
>"ONLY ALLOW DSE", the authentication against LDAP server doesn't work
>
>from the sssd log, the sssd has marked the LDAP server as "working", but
>the sssd can't find the user in ldap
>
>2) if admin sets anonymous binding flag to "ALLOW ANONYMOUS BINDING", the
>authentication against LDAP server works
>
>The only difference between test 1) and test 2) is the anonymous binding
>flag.
yes, this is expected, because even for authentication SSSD has to
search for a matching user entry first. This search is done anonymously
in the default configuration.
>
>
>I'm expecting that if I provide binding dn and binding password in the
yes, this will instruct SSSD to bind before doing searches, but ...
>sssd.conf, the server could turn off the anonymous completely or
at least
>partially. Is there an known issue around this ?
... the DSE lookup will still be done anonymously because afaik (I hope
this didn't change in the meantime) it is said in the RFC that the DSE
should always be accessible. And since the DSE contains information
about supported authentication type it makes sense to read it before
doing a bind.
Nevertheless a failure during the DSE lookup should not be fatal you
only have to provide e.g. the baseDN of your LDAP tree in sssd.conf
which would otherwise be discovered automatically from the DSE.
>
>version: sssd-1.9.2
>
I assume (based on version) you use sssd on el6.4 or el6.5 which are quite old.
Could you test with 1.12.x?
yes, please use a newer version.
bye,
Sumit
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users