On Wed, Jan 02, 2013 at 01:38:12PM +0100, Marco Pizzoli wrote:
Hi Jakub,
On Wed, Jan 2, 2013 at 1:13 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
> On Wed, Jan 02, 2013 at 10:52:00AM +0100, Marco Pizzoli wrote:
> > Hi guys,
> > I'm currently not able to get sssd working in connecting to an AD server
> as
> > a pure LDAPS server.
> >
> > I'm succeeding in connecting with a simple bind, but eventually I
can't
> get
> > sssd downloading any data. It ends with a
> > Search result: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8,
> > comment: In order to perform this operation a successful bind must be
> > completed on the connection., data 0, v1db1
> >
> > By using ldapsearch (pointing to the same ldaps url) I can execute the
> same
> > search obtaining (correctly) 1 user.
> > Honestly, I don't know what could be the problem... Any hint on a
> > particular configuration directive to check?
> >
> > Full log following.
> > I'm using sssd-1.8.0-32.el6.x86_64 on RHEL6.3
> >
> > Thanks in advance
> > Marco
>
> From the logs it seems that you are binding as "CN=baubau,OU=Service
> Accounts,DC=testpippo,DC=local" but not using any bind password. Is this
> the same setting that works for you with ldapsearch?
>
Shame on me...
In my sssd.conf I had:
ldap_default_authok_type = password
ldap_default_authok = my_password
Instead of
ldap_default_auth*t*ok_type = password
ldap_default_auth*t*ok = my_password
Now I managed to have it working. I admit I didn't noticed it before your
hint.
I just looked back at the logs, but I don't notice any hint about my error.
Should the sssd put a warning about a unknown/wrong directive?
This is how I found out:
(Wed Jan 2 09:20:26 2013) [sssd[be[TESTpippo.local]]] [dp_get_options]
(0x0400): Option ldap_default_bind_dn has value CN=baubau,OU=Service
Accounts,DC=testpippo,DC=local
(Wed Jan 2 09:20:26 2013) [sssd[be[TESTpippo.local]]] [dp_get_options]
(0x0400): Option ldap_default_authtok_type has value password
(Wed Jan 2 09:20:26 2013) [sssd[be[TESTpippo.local]]] [dp_get_options]
(0x0400): Option ldap_default_authtok has no binary value.
^^^^^
"No binary value" pretty much says "unset".
Thanks a lot for your help!
Marco
@Ondrej: I'm sorry, but in this very case I couldn't share my configuration
before the approval of a currently-on-holiday manager. I would have done it
otherwise. Thanks anyway.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users