Hi Lukas, Sumit, Jakub,

Thank you very much for your reply.

I tried to update to sssd-1.12.4. The behavior is same as with sssd-1.9.2. 

I observed following things (with ldap server side disallow anonymous binding):

    1) Got rootdse is printed before [simple_bind_send] (0x0100): Executing simple bind as: cn=myadminuser

    2) Server is marked as "working"

     3) If I issue "id oneuser" , there will such log
calling ldap_search_ext with [(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=com].

      4)and at last, [sdap_get_users_done] (0x0040): Failed to retrieve users

My thoughts:

ldapsearch -h myhostname -p myportnumber -b "dc=mydomain,dc=com" -D "cn=myadminuser" -W '(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))'

Above ldapsearch can return the user, the "cn=myadminuser" is what I provided in the sssd.conf as "ldap_default_bind_dn" , -W I provided the password in the sssd.conf as "ldap_default_authtok". 

And I guess the rootDSE is not the key thing here, as rootDSE is retrieved successfully from the log. 

And also, when I issue "id oneuser", SSSD is trying to used the cached connection(I assume this cached connection is the one cn=myadminuser started). So it shouldn't treated as anonymous binding, correct ?

Any thoughts on these? Let me know if you need extra information.

Thanks,
Aaron




On Fri, Nov 13, 2015 at 12:50 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Thu, Nov 12, 2015 at 01:51:14PM -0800, aaron wang wrote:
> Hi all,
>
>
> I'm configuring SSSD on a system to authenticate users against the LDAP
> server.
>
> LDAP server side:
> there are basically three options for the anonymous binding flag, 0 for
> completely disallow anonymous binding, 1 allows anonymous binding, 2 allows
> anonymous bind but allows only search operations on root DSE entry for
> anonymous users
>
> SSSD side:
> I'm providing the ldap_default_bind_dn and ldap_default_bind_authtok for
> the binding.
>
> Tests:
> 1) if admin changes the anonymous binding flag to "COMPLETELY DISALLOW" or
> "ONLY ALLOW DSE", the authentication against LDAP server doesn't work
>
> from the sssd log, the sssd has marked the LDAP server as "working", but
> the sssd can't find the user in ldap
>
> 2) if admin sets anonymous binding flag to "ALLOW ANONYMOUS BINDING", the
> authentication against LDAP server works
>
> The only difference between test 1) and test 2) is the anonymous binding
> flag.
>
>
> I'm expecting that if I provide binding dn and binding password in the
> sssd.conf, the server could turn off the anonymous completely or at least
> partially. Is there an known issue around this ?

By default the identity lookups are done over unencrypted connection,
anonymously. You can either use bind DN and password or GSSAPI binds.

However, normally you should use rootDSE anonymously readable even if
you restrict the binds to disallow anonymous binds.

>
> version: sssd-1.9.2

As Lukas said, there were known bugs especially around retrying
authenticated rootDSE search from a failed anonymous search.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users