[ale] ldap/nss/sssd login problems

Scott Plante splante at insightsys.com
Tue Jun 25 11:39:33 EDT 2013 

Well, I guess I found the problem. man sssd-ldap says: 




LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. 




I'd been meaning to upgrade our LDAP--I suppose now I have the impetus to do it. 


Scott 
----- Original Message -----

From: "Scott Plante" <splante at insightsys.com> 
To: ale at ale.org 
Sent: Monday, June 24, 2013 12:21:36 PM 
Subject: [ale] ldap/nss/sssd login problems 


I just installed OpenSUSE 12.3 on my development machine. We had been using 11.3 and we authenticate via LDAP. I used YaST to set up the LDAP authentication settings. 12.3 uses the newish sssd which either wasn't available or at least we weren't using on 11.3. 


It is communicating with LDAP: I can see existing users, I can type these commands successfully: 

guinness:/etc # id splante 
uid=20008(splante) gid=20000 groups=20000 
guinness:/etc # su - splante 
splante at guinness:~> pwd 
/home/splante 


However, if I "su" again as non-root where it needs to check the password, it fails. The splante user does not exist in /etc/passwd so the id command is definitely seeing ldap. I believe I have TLS/SSL turned off in the LDAP config, but I see this in /var/log/messages 

2013-06-24T12:07:33.671426-04:00 guinness sssd[be[default]]: Could not start TLS encryption. unsupported extended operation 
2013-06-24T12:07:33.671640-04:00 guinness su: pam_sss(su:auth): authentication failure; logname=root uid=20008 euid=0 tty=pts/2 ruser=splante rhost= user=splante 
2013-06-24T12:07:33.671990-04:00 guinness su: pam_sss(su:auth): received for user splante: 9 (Authentication service cannot retrieve authentication info) 
2013-06-24T12:07:35.438192-04:00 guinness su: FAILED SU (to splante) root on /dev/pts/2 
2013-06-24T12:07:38.439086-04:00 guinness su: pam_unix(su:session): session closed for user splante 
2013-06-24T12:08:47.096406-04:00 guinness login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=splante 
2013-06-24T12:08:47.268434-04:00 guinness sssd[be[default]]: Could not start TLS encryption. unsupported extended operation 
2013-06-24T12:08:47.268693-04:00 guinness login: pam_sss(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= user=splante 
2013-06-24T12:08:47.269044-04:00 guinness login: pam_sss(login:auth): received for user splante: 9 (Authentication service cannot retrieve authentication info) 
2013-06-24T12:08:49.190951-04:00 guinness login: FAILED LOGIN 1 FROM tty1 FOR splante, Authentication service cannot retrieve authentication info 


My ldap.conf, less comments and blanks, looks like this: 

guinness:/etc # grep -v "^#" /etc/ldap.conf|grep -v "^$" 
base ou=People,dc=insightsys,dc=com 
uri ldap://ldap.isint 
rootbinddn cn=manager,dc=insightsys,dc=com 
scope sub 
bind_policy soft 
pam_lookup_policy yes 
pam_password md5 
nss_initgroups_ignoreusers root,ldap 
nss_schema rfc2307bis 
nss_base_passwd ou=People,dc=insightsys,dc=com 
nss_base_shadow ou=People,dc=insightsys,dc=com 
nss_base_group ou=Group,dc=insightsys,dc=com 
nss_map_attribute uniqueMember member 
ssl no 
ldap_version 3 
pam_filter objectClass=posixAccount 
tls_checkpeer no 


And sssd.conf: 

guinness:/etc # grep -v "^#" /etc/sssd/sssd.conf|grep -v "^$"|grep -v "^;" 
[sssd] 
config_file_version = 2 
services = nss,pam 
domains = default 
[nss] 
filter_groups = root 
filter_users = root 
[pam] 
[domain/default] 
ldap_uri = ldap://ldap.isint 
ldap_search_base = ou=People,dc=insightsys,dc=com 
ldap_schema = rfc2307 
id_provider = ldap 
ldap_user_uuid = entryuuid 
ldap_group_uuid = entryuuid 
ldap_id_use_start_tls = False 
ldap_tls_reqcert = never 
enumerate = True 
cache_credentials = False 
chpass_provider = ldap 
auth_provider = ldap 


And nsswitch.conf: 

guinness:/etc # grep -v "^#" /etc/nsswitch.conf|grep -v "^$" 
passwd: compat sss 
group: files sss 
hosts: files mdns4_minimal [NOTFOUND=return] dns 
networks: files dns 
services: files 
protocols: files 
rpc: files 
ethers: files 
netmasks: files 
netgroup: files 
publickey: files 
bootparams: files 
automount: files nis 
aliases: files 


Any ideas? 


Thanks, 
Scott 
_______________________________________________ 
Ale mailing list 
Ale at ale.org 
http://mail.ale.org/mailman/listinfo/ale 
See JOBS, ANNOUNCE and SCHOOLS lists at 
http://mail.ale.org/mailman/listinfo 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130625/2e934d8c/attachment.html>

More information about the Ale mailing list