Thank you Jakub
I understand what we're doing isn't supported and horrible practice. We
are replacing the insecure LDAP server very soon.
I set ldap_uri = ldap://BLAH in sssd.conf and seems to be working despite
expired cert. Though there are some error messages I would like to resolve.
We are using host-based access control:
auth_provider = ldap
access_provider = ldap
ldap_access_order = host
ldap_user_authorized_host = host
As you can see sdap_access_host does grant access to accounts with the host
attribute:
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'LDAP'
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100):
expire timeout is 900
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100):
Marking port 389 of server 'BLAH' as 'working'
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server 'BLAH as 'working'
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got
request with the following data
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
domain: LDAP
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
user: sysadmin
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
service: sshd
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty:
ssh
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
ruser:
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
rhost: proxy
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
authtok type: 0
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
priv: 1
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
cli_pid: 11864
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
logon name: not set
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_access_host] (0x0100):
Access granted for [CLIENT]
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback]
(0x0100): Backend returned: (0, 0, <NULL>) [Success]
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback]
(0x0100): Sending result [0][LDAP]
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler_callback]
(0x0100): Sent result [0][LDAP]
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [be_pam_handler] (0x0100): Got
request with the following data
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
command: SSS_PAM_ACCT_MGMT
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
domain: LDAP
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
user: sysadmin
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
service: sshd
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100): tty:
ssh
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
ruser:
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
rhost: proxy
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
authtok type: 0
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
newauthtok type: 0
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
priv: 1
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
cli_pid: 11864
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [pam_print_data] (0x0100):
logon name: not set
(Mon Aug 15 11:21:13 2016) [sssd[be[LDAP]]] [sdap_access_host] (0x0100):
Access granted for [CLIENT]
Though right before the above successful login we see:
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [fo_set_port_status] (0x0100):
Marking port 389 of server 'BLAH as 'working'
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server 'BLAH' as 'working'
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished]
(0x0040): Unexpected result from ldap: Protocol error(2), paged results
cookie is invalid
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [generic_ext_search_handler]
(0x0040): sdap_get_generic_ext_recv failed [5]: Input/output error
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_get_users_done] (0x0040):
Failed to retrieve users
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [sdap_dom_enum_ex_users_done]
(0x0040): User enumeration failed: 5: Input/output error
(Mon Aug 15 11:16:54 2016) [sssd[be[LDAP]]] [be_ptask_done] (0x0040): Task
[enumeration]: failed with [5]: Input/output error
Does this mean that enumeration occurs not with SSSD but NSS?
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-5454
F: 212-746-8690
On Mon, Aug 15, 2016 at 3:45 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Fri, Aug 12, 2016 at 12:05:46PM -0400, Douglas Duckworth wrote:
> Clarification
>
> This works:
>
> ldapsearch -x -ZZ -H ldap://blah dc=blah-x uid=me -d3
>
> Again says expired certificate.
>
> I set ldap_uri = ldaps://blah, ldap://blah and ldap_tls_reqcert = never
in
> sssd.conf but still failure.
To be honest I'm not sure if setting the tls_reqcert value to never only
hides the trust issues or also expiration issues.
btw the ldapsearch is for ldap:// with TLS, but SSSD is asked for
ldaps://, does sssd work with ldap:// only? (if you need confidentiality
for identity lookups you can set ldap_id_use_start_tls. For
authentication, TLS will be tried automatically, SSSD doesn't support
authentication over an unencrypted channel)
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.
fedorahosted.org_admin_lists_sssd-2Dusers-40lists.
fedorahosted.org&d=DQIGaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
ZqsTB2JT98oTSoYAWIbe7YnWKuNrXDEVIK7i1Ljyqlg&s=
o0iBmvS8uYOP0J6AMR_SEAGXSzzv_YQaLY4v02fCfoU&e=