Hi Sumit,
I have switched back to using ldap://...:389 on the LDAP server and on the SSSD Client.
ldapsearch -x -ZZ .... now working on SSSD Client
getent passwd -s sss now working on SSSD Client
getent group -s sss now working on SSSD Client
.... but the greatest thing of all is; I CAN now login using all 6 test ldap users via the
SSSD Client.
YYYeeeeeeeeeeeeesssssssssssssssssssss!
Sumit - many thanks for your help, you pointed me in the right direction which has helped
me to finally setup a working SSSD Auth on LDAP.
All the very best...
Steve...
-----Original Message-----
From: Murdoch, Steve
Sent: 28 January 2016 08:51
To: sssd-users(a)lists.fedorahosted.org
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
Hi Sumit,
When I used ldap://...:389 the ldap search with the -ZZ worked ok - getent passwd and
group also working ok.
I will put the setupo back to 389.
So,
Does 'ldapsearch -x -ZZ ...' work if you use port 389? YES
it works!
Thanks
Steve..
-----Original Message-----
From: Sumit Bose [mailto:sbose@redhat.com]
Sent: 28 January 2016 08:46
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server
CentOS6.7
On Wed, Jan 27, 2016 at 03:25:13PM +0000, Murdoch, Steven wrote:
Hi Sumit - I have a CA.crt (self signed) on both the client and the
server, and there is an option in the sssd.conf to start_tls:
In sssd.conf:
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_tls_reqcert = demand
cache_credentials = True
default_shell = /bin/bash
ldap_user_object_class = posixAccount
ldap_group_object_class = posixGroup
ldap_user_home_directory = homeDirectory
ldap_tls_cacert = /etc/openldap/cacerts/CA.crt
In /etc/openldap/ldap.conf:
ssl on
ssl start_tls
TLS_REQCERT allow
HOST ActDir-VM-Test.vmlab.ari.cdk.hosting
BASE dc=ActDir-VM-Test,dc=vmlab,dc=ari,dc=cdk,dc=hosting
URI ldaps://ActDir-VM-Test.vmlab.ari.cdk.hosting:636
TLS_CACERTDIR /etc/openldap/cacerts
In /etc/openldap/cacerts on Client:
[root@SSSD-VM-Test cacerts]# ll
total 16
lrwxrwxrwx 1 root root 10 Jan 27 14:41 19913717.0 -> server.crt
-rw-r--r-- 1 root root 1025 Jan 25 09:08 CA.crt
-rw-r--r-- 1 root root 963 Jan 22 16:49 CA.key
-rw-r--r-- 1 root root 17 Jan 22 16:49 CA.srl
lrwxrwxrwx 1 root root 6 Jan 27 14:41 e639daac.0 -> CA.crt
-rw-r--r-- 1 root root 851 Jan 27 14:40 server.crt
#
In /etc/openldap/cacerts on LDAP Server:
[root@ActDir-VM-Test cacerts]# ll
total 24
lrwxrwxrwx 1 root root 10 Jan 25 09:14 19913717.0 -> server.crt
-rw-r--r-- 1 root root 1025 Jan 25 09:03 CA.crt
-rw-r--r-- 1 root root 963 Jan 25 09:01 CA.key
-rw-r--r-- 1 root root 17 Jan 19 10:47 CA.srl
lrwxrwxrwx 1 root root 6 Jan 25 09:14 e639daac.0 -> CA.crt
-rw-r--r-- 1 root root 851 Jan 19 10:47 server.crt
-rw-r--r-- 1 root root 720 Jan 19 10:45 server.csr
-rw-r--r-- 1 root root 887 Jan 19 10:43 server.key
#
I was running ldap://389, so now tried to switch to ldaps://636 – but now I am getting
this on the client:
Do I need to switch to 636 for TLS/SSL – I thought 389 would also work with TLS?
no, running on port 389 is fine, SSSD will call StartTLS to setup an encrypted channel
before sending sensitive data.
[root@SSSD-VM-Test db]# ldapsearch -x -ZZ -H
ldaps://ActDir-VM-Test.vmlab.ari.cdk.hosting -b
dc=vmlab,dc=ari,dc=cdk,dc=hosting objectclass=*
ldap_start_tls: Can't contact LDAP server (-1)
additional info: TLS error -8157:Certificate extension not found.
#
Does 'ldapsearch -x -ZZ ...' work if you use port 389? If this fails you can try
LDAPTLS_REQCERT=never ldapsearch -x -ZZ ...
This skips the validation of the server certificate (because according to the error there
is some extension missing in the certificate which OpenLDAP expects to be present). If
this work you can set 'ldap_tls_reqcert = never' in the domains section of
sssd.conf for testing, in the long run you should try to create a new certificate which
matches the expectations of OpenLDAP.
…the getent passwd and group are now not working!
The pam log and the domain log (sssd_vmlab.log) files do not appear to be updating on the
Client:
You attached the nss log instead of the pam log and in the sssd_vmlab.log no
authentication request is logged.
bye,
Sumit
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
----------------------------------------------------------------------
This message and any attachments are intended only for the use of the addressee and may
contain information that is privileged and confidential. If the reader of the message is
not the intended recipient or an authorized representative of the intended recipient, you
are hereby notified that any dissemination of this communication is strictly prohibited.
If you have received this communication in error, notify the sender immediately by return
email and delete the message and any attachments from your system.