Hi Folks,

 

I'm attempting to create a configuration whereby Active Directory is used via LDAP only to authenticate ONLY local users via a proxy id_provider using local files... this was the configuration that I was attempting:

 

[sssd]

config_file_version = 2

domains = <domain>

services = nss, pam

 

[nss]

 

[pam]

 

[domain/<domain>]

debug_level = 9

 

id_provider = proxy

auth_provider = ldap

 

proxy_lib_name = files

 

cache_credentials = true

 

ldap_uri = <list,of,domain,controllers>

 

ldap_id_use_start_tls = true

ldap_tls_reqcert = allow

 

ldap_default_bind_dn = <bind account>

ldap_default_authtok = <bind sekrit>

 

ldap_schema = ad

ldap_search_base = <search base>

 

--

 

It seems to be finding my entry just fine in /etc/passwd... but, it seems to be unable to perform the LDAP search... as I get back these sanitized results... showing that it can't find my user object... for some reason...

 

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [<base>]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=<myuser>)(objectclass=user))][<base>].

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 2

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: sh[0xf49a70], connected[1], ops[0xf49400], ldap[0xf45cc0]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: sh[0xf49a70], connected[1], ops[0xf49400], ldap[0xf45cc0]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

(Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error

 

--

 

If I perform a manual ldapsearch ... using the parameters indicated in the "ldap_search_ext" call ... it works just fine.  I've checked in the logs and I see that it marks the connection to the domain controller as "working" ... so, I'm not sure why sssd complains that a successful bind must be completed... that seems to have happened already...

 

I'm running sssd version 1.11.7 ...

 

Any ideas, folks?

 

Thanks,

 

Andy Speagle