On Thu, Mar 17, 2016 at 05:04:52PM -0000, minfrin(a)sharp.fm wrote:
Hi all,
I have a 389ds server that uses a certmap to map client certificates to a valid bind, and
this works fine.
I am struggling to get sssd on ubuntu trusty to use a client certificate to talk to this
server, and I don't know what I'm doing wrong. My /etc/sssd/sssd.conf looks like
below.
[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
# A native LDAP domain
[domain/LDAP]
enumerate = true
cache_credentials = TRUE
debug_level = 9
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://ldap.example.com:636
ldap_user_search_base = dc=example,dc=com
tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/root-ca.crt
ldap_tls_cert = /etc/ssl/certs/my.crt
ldap_tls_key = /etc/ssl/private/my.key
ldap_sasl_mech = EXTERNAL
When sssd attempts to connect to the LDAP server, first it connects and makes an
anonymous bind, which the server refuses. sssd then tries to make a SASL EXTERNAL bind,
which fails claiming external isn't a valid bind method.
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message
type: [LDAP_RES_SEARCH_RESULT]
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0400): Search
result: Inappropriate authentication(48), Anonymous access is not allowed.
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0040):
Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not
allowed.
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100):
sdap_get_generic_ext_recv failed [5]: Input/output error
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200):
No known USN scheme is supported by this server!
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout
is 900
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x1000): the connection
will expire at 1458231814
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0100): Executing sasl
bind mech: EXTERNAL, user: (null)
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0020): ldap_sasl_bind
failed (-6)[Unknown authentication method]
(Thu Mar 17 16:08:34 2016) [sssd[be[LDAP]]] [sasl_bind_send] (0x0080): Extended failure
message: [SASL(-4): no mechanism available: ]
From what I can see, there is no attempt to use the client certificate at all.
Can anyone point out where I am going wrong?
Does it make a difference if you use:
ldap_uri =
ldap://ldap.example.com
ldap_id_use_start_tls = true
Does ldapsearch on the command line work?
LDAPTLS_CERT=/etc/ssl/certs/my.crt LDAPTLS_KEY=/etc/ssl/private/my.key ldapsearch -H
ldap://ldap.example.com -ZZ -Y EXTERNL -b '' -s base
LDAPTLS_CERT=/etc/ssl/certs/my.crt LDAPTLS_KEY=/etc/ssl/private/my.key ldapsearch -H
ldaps://ldap.example.com -Y EXTERNAL -b '' -s base
bye,
Sumit
>
> Regards,
> Graham
> --
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org