On Wed, Sep 28, 2016 at 12:46:56PM +0000, Speagle, Andy wrote:
> > > If I perform a manual ldapsearch ... using the parameters
> > > indicated in
> > the "ldap_search_ext" call ... it works just fine. I've checked
> > the logs and I see that it marks the connection to the domain
> > controller as "working" ... so, I'm not sure why sssd complains
> > a successful bind must be completed... that seems to have happened
> > >
> > > I'm running sssd version 1.11.7 ...
> > >
> > > Any ideas, folks?
> > Interesting, it looks like the LDAP bind was not attempted at all.
> > You're running a version that is not so new, does adding:
> > ldap_default_authtok_type = password explicitly to sssd.conf work?
> Sadly, adding that didn't help...
> > And a bit unrelated, but do you really need to use
> > auth_provider=ldap? I would personally suggest to use
auth_provider=krb5, like this:
> > auth_provider = krb5
> > krb5_server = kdc.example.com
> > krb5_realm = EXAMPLE.COM
> I can definitely make it work with kerberos... and have already proven
> that. The id source is AD ... and my Linux user base would like to
> try to avoid integration with AD as much as possible... so I was
> trying to find them a pure LDAP solution.
I think from user's point of view it doesn't matter since they would just
type the same password and the protocol SSSD speaks towards the remote
server is completely handled by SSSD..
> Actually... I lied about the version... I'm using 1.13.3 on CentOS 6.8
... if that makes any difference.
> Any thoughts?
No, I'm sorry, this works for me. Do you see SSSD attempting StartTLS
before the actual search?
Yes... I do. Everything seems to work up to the point when it's supposed to perform
the "ldap_search_ext" ... but, it doesn't. Very strange.