Hi Stephen, <br><br>It was indeed the unencrypted channel that was the culprit. We tried authenticating against a system with LDAP+GSSAPI and it worked like a charm !<br><br>Thanks !<br><br>cheers,<br>Andy<br><br><div class="gmail_quote">

2010/8/30 Stephen Gallagher <span dir="ltr">&lt;<a href="mailto:sgallagh@redhat.com">sgallagh@redhat.com</a>&gt;</span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">

<div class="im">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
</div><div class="im">On 08/30/2010 09:52 AM, Andy Kannberg wrote:<br>
&gt; Hi all,<br>
&gt;<br>
&gt; In our setup, we run into the following problem: When sssd is<br>
&gt; configured, the authentication against ldap fails, but succeeds against<br>
&gt; kerberos/AD. Our ldap/edirectory guru has, as far as he is concerned,<br>
&gt; pinned the problem down due to the fact that ldap authentication fails<br>
&gt; with the logging saying &quot;password failed&quot;:<br>
<br>
</div>Please include your [sanitized] sssd.conf.<br>
<div class="im"><br>
<br>
&gt;<br>
&gt; Now, browsing through the options that can be set, we sat that we were<br>
&gt; able to set an ldap_default_authtok_type. However, the only possible<br>
&gt; option here is &quot;password&quot;. However, the object &quot;password&quot; is unknown in<br>
&gt; eDirectory. All other options can be set/remapped to other attributes,<br>
&gt; and this particular one cannot. Is there a work around for this that<br>
&gt; anyone knows of ?<br>
&gt;<br>
<br>
</div>This is not an ldap attribute. It&#39;s a type identifier so that SSSD knows<br>
that the authentication credentials are a password (as opposed to a<br>
certificate, which we intend to support eventually). We don&#39;t use the<br>
user&#39;s password attribute directly.<br>
<br>
The way the authentication works in SSSD is by attempting to perform a<br>
simple bind against the LDAP user, where the bind DN is the user&#39;s full<br>
distinguished name and the bind password is the user&#39;s password. If this<br>
simple bind succeeds, then we treat the user as authenticated.<br>
<br>
One thing you may be encountering is that SSSD will deny any<br>
authentication that attempts to occur over an unencrypted channel. You<br>
must be using one of<br>
 * LDAP+TLS<br>
 * LDAPS<br>
 * LDAP+GSSAPI<br>
to encrypt the channel for authentication to succeed. I&#39;d need to see<br>
more of your logs than what you included here to tell you if this is the<br>
problem. You included only the logs for the user lookup, and not for the<br>
user authentication.<br>
<br>
If you don&#39;t see any requests for the user authentication in the log,<br>
then your problem is with your client&#39;s PAM configuration, and not SSSD.<br>
<br>
It would be a good idea to also include your /etc/pam.d/system-auth file.<br>
<div class="im"><br>
- --<br>
Stephen Gallagher<br>
RHCE 804006346421761<br>
<br>
Delivering value year after year.<br>
Red Hat ranks #1 in value among software vendors.<br>
<a href="http://www.redhat.com/promo/vendor/" target="_blank">http://www.redhat.com/promo/vendor/</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.10 (GNU/Linux)<br>
Comment: Using GnuPG with Fedora - <a href="http://enigmail.mozdev.org/" target="_blank">http://enigmail.mozdev.org/</a><br>
<br>
</div>iEYEARECAAYFAkx7ufoACgkQeiVVYja6o6Mm7QCcC9wxGcFH6TLsjLpync8K0fxl<br>
OWsAmwQ3682fawZh0XQX7gwAxKxe900q<br>
=APu9<br>
-----END PGP SIGNATURE-----<br>
<div><div></div><div class="h5">_______________________________________________<br>
sssd-devel mailing list<br>
<a href="mailto:sssd-devel@lists.fedorahosted.org">sssd-devel@lists.fedorahosted.org</a><br>
<a href="https://fedorahosted.org/mailman/listinfo/sssd-devel" target="_blank">https://fedorahosted.org/mailman/listinfo/sssd-devel</a><br>
</div></div></blockquote></div><br>