On Sat, Nov 26, 2011 at 08:16:11PM +0100, Sascha Frey wrote:
Hi list,
I'm trying to get sssd 1.6.1 working on FreeBSD 9.0 RC2 for some time
now.
/var/log/sssd/sssd_LDAP.log shows that the connection to the LDAP server
fails:
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (7): New LDAP connection to
[ldap://rep1.LDAP.techfak.uni-bielefeld.de:389/??base] with fd [15].
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]] [sdap_sys_connect_done] (1):
Failed to set LDAP SASL nocanon option to true
Here ^^ goes the error (Thank you for providing just the right snippet
from the logs, btw)
Can you try setting ldap_sasl_canonicalize = true in the [domain]
section of sssd.conf? That should completely bypass setting the faulty option.
What OpenLDAP version are you running? I'm not sure why would setting an
LDAP option fail (an openldap bug, perhaps), but I think SSSD shouldn't treat
error while setting this particular option as fatal, we should rather try
to carry on, warning user that a SASL bind later might fail.
I've opened
https://fedorahosted.org/sssd/ticket/1100 to track this.
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]] [fo_set_port_status]
(4):
Marking port 389 of server 'rep1.LDAP.techfak.uni-bielefeld.de' as 'not
working'
'ldapsearch -x -ZZ' with TLS_REQCERT=demand does work.
I tried with 'ldap_tls_cacert' in sssd.conf (should not be
neccessary because of TLS_CACERT in /usr/local/etc/openldap/ldap.conf).
Doesn't seem to be TLS verfication issue, because 'ldap_tls_reqcert =
never' doesn't help either.
ldap://server.fqdn/ or ldaps://server.fqdn/ makes no difference.
The same sssd.conf works with sssd 1.5.1 under RHEL 6.1.
That's becase sssd code in 6.1 does not contain the nocanon option yet.