On Wed, Sep 28, 2016 at 12:46:56PM +0000, Speagle, Andy wrote:
> > If I perform a manual ldapsearch ... using the parameters
> the "ldap_search_ext" call ... it works just fine. I've checked in
> logs and I see that it marks the connection to the domain controller as
> "working" ... so, I'm not sure why sssd complains that a successful
> must be completed... that seems to have happened already...
> > I'm running sssd version 1.11.7 ...
> > Any ideas, folks?
> Interesting, it looks like the LDAP bind was not attempted at all.
> You're running a version that is not so new, does adding:
> ldap_default_authtok_type = password explicitly to sssd.conf work?
Sadly, adding that didn't help...
> And a bit unrelated, but do you really need to use auth_provider=ldap? I
> would personally suggest to use auth_provider=krb5, like this:
> auth_provider = krb5
> krb5_server = kdc.example.com
> krb5_realm = EXAMPLE.COM
I can definitely make it work with kerberos... and have already proven
that. The id source is AD ... and my Linux user base would like to try
to avoid integration with AD as much as possible... so I was trying to
find them a pure LDAP solution.
I think from user's point of view it doesn't matter since they would
just type the same password and the protocol SSSD speaks towards the
remote server is completely handled by SSSD..
Actually... I lied about the version... I'm using 1.13.3 on CentOS 6.8 ... if that
makes any difference.
No, I'm sorry, this works for me. Do you see SSSD attempting StartTLS
before the actual search?