On Fri, Dec 06, 2013 at 11:13:16AM +0200, Dan Candea wrote:
On 12/06/2013 11:01 AM, Jakub Hrozek wrote:
>On Fri, Dec 06, 2013 at 10:43:58AM +0200, Dan Candea wrote:
>>Hello
>>
>>Could someone point me in the right direction with what is wrong
>>here, please? Thank you for any hint.
>>
>>I want to make ldap authentication without kerberos (
>>access_provider = ldap )
>>TLS/SSL encryption channel is fine, bind user is working, it can
>>find my testuser and the attributes, but simple bind for checking
>>the password of
>>the found user is failing with Invalid credentials.
>>
>>ldapsearch -LLL -h "10.10.10.10" -D "testuser(a)2FA.TEST" -w
password
>>-b "CN=MyUser,CN=Users,DC=2FA,DC=TEST"
>>is returning the user but sssd fails.
>>
>>This are the versions I'm using:
>>ii ldap-utils 2.4.31-1+nmu2 amd64
>>OpenLDAP utilities
>>ii libldap-2.4-2:amd64 2.4.31-1+nmu2
>>amd64 OpenLDAP libraries
>>ii libsasl2-modules-ldap:amd64 2.1.25.dfsg1-6+deb7u1
>>amd64 Cyrus SASL - pluggable authentication modules (LDAP)
>>ii sssd-ldap 1.11.1-1 amd64
>>System Security Services Daemon -- LDAP back end
>>
>>
>>I've checked the pam module and it seams to make that is using the
>>userPrincipalName for authentication, is this correct?
>No, that's just internal user identifier that's passed around.
>
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]] [simple_bind_send]
>>(0x0100): Executing simple bind as:
>>CN=MyUser,CN=Users,DC=2FA,DC=TEST
>The bind DN is here.
>
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]] [simple_bind_send]
>>(0x2000): ldap simple bind sent, msgid = 1
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]]
>>[sdap_process_result] (0x2000): Trace: sh[0x16b3f40], connected[1],
>>ops[0x16a9ad0], ldap[0x16d63c0]
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]]
>>[sdap_process_message] (0x4000): Message type: [LDAP_RES_BIND]
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]] [simple_bind_done]
>>(0x1000): Server returned no controls.
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]] [simple_bind_done]
>>(0x0400):*B**ind result: Invalid credentials(49), 80090308: LdapErr:
>>DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e,
>>v2580*
>>(Thu Dec 5 15:09:32 2013) [sssd[be[2FA.TEST]]]
>>[sdap_handle_release] (0x2000): Trace: sh[0x16b3f40], connected[1],
>>ops[(nil)], ldap[0x16d63c0], destructor_lock[0], release_memory[0]
>Normally Invalid credentials means wrong password, also "data 52e" means
>ERROR_LOGON_FAILURE, which also suspects wrong password.
>
>When you were testing the bind with ldapseach, are you sure you used the
>same server as SSSD did?
>
Yes, copy paste. But ldapsearch works only with usertest(a)2FA.TEST format.
SUCCESS: ldapsearch -LLL -h "10.10.10.10" -D "testuser(a)2FA.TEST" -w
password -b "CN=MyUser,CN=Users,DC=2FA,DC=TEST"
FAIL: ldapsearch -LLL -h "10.10.10.10" -D "testuser" -w password -b
"CN=MyUser,CN=Users,DC=2FA,DC=TEST"
What username format is sssd passing to ldap server? Where is this
information in debug log?
When performing the LDAP password bind, the user's full DN is used to
bind. According to the logs you sent earlier, this would be
CN=MyUser,CN=Users,DC=2FA,DC=TEST
btw the server seems to be AD. Is there a reason to use LDAP
authentication with AD and not Kerberos authentication?