sssd and ldap config
Nalin Dahyabhai
nalin at redhat.com
Wed Jun 9 15:18:36 UTC 2010
On Wed, Jun 09, 2010 at 09:34:34AM -0500, Michael Cronenworth wrote:
> I have attempted to enable SSSD for my work LDAP server, which I also
> administer, on a fresh F13 install. Once I check the boxes in the
> Authentication app, hit apply, and reboot, I cannot login with any LDAP
> user. Under the local user, I cannot perform getent on any LDAP user. I
> can, however, set my nsswitch.conf to "files ldap" and perform getent
> commands successfully. The LDAP server is configured correctly and has
> been utilized by pre-F13 machines and Windows machines for about 2 years.
Setting nsswitch.conf to "ldap" doesn't test sssd -- the source for that
information should be listed as "sss" if you want to use sssd.
> I noticed there is a QA test case[1] for this particular feature, but it
> isn't working for me. Is there something I'm missing beyond both the
> Authentication GUI app *and* the testcase page?
>
> [1]
> https://fedoraproject.org/wiki/QA:Testcase_SSSD_LDAP_Identity_and_LDAP_Authentication_with_TLS
The example sssd.conf doesn't look right to me -- the bits in there that
mention Kerberos-specific (krb5*) settings don't fit at all since the
auth_provider isn't set to Kerberos (krb5) and the client isn't being
told to use Kerberos to authenticate to the directory server. There
aren't any of the TLS-related settings that sssd-ldap(5) details in
there, either.
I'm afraid I can't offer any specific advice because I don't know much
about your setup, but I'd expect to see something more like this:
[domains/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.corp.example.com/
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_user_gecos = cn
debug_level = 0
cache_credentials = True
min_id = 1000
If you want to use LDAP-over-SSL instead of LDAP-with-StartTLS, you
should be able to set "ldap_id_use_start_tls" to "False" and change the
ldap_uri to start with "ldaps://" instead of "ldap://".
Don't forget that when you're using a directory to hold certificates,
you almost always have to run "c_rehash" (from the openssl-perl package)
on the directory, and to make sure that certificates in the directory
have names ending in ".pem" so that "c_rehash" will find them.
If that doesn't point you in the right direction, you might want to ask
on the sssd list.
HTH,
Nalin
More information about the users
mailing list