Results 1 to 3 of 3

Thread: SSSD ldap auth not binding correctly

Hybrid View

  1. #1
    Join Date
    Aug 2007
    Beans
    2

    SSSD ldap auth not binding correctly

    I am having troubles with getting SSSD to auth against my ldap server with a bind_dn. I turned off anonymous bind on the ldap server, and had no issues with getting SSSD in Ubuntu 12.04 to work with the ldap_default_bind_dn, but for some reason, Ubuntu 10 with the same credentials will NOT work. It looks like SSSD attempts to make an anonymous bind, even though a correct (and recognized) ldap_default_bind_dn ...

    sssd log ..

    [sssd[be[internal.blah.com]]] [dp_get_options] (6): Option ldap_default_bind_dn has value cn=Directory Reader,dc=internal,dc=blah,dc=com
    [sssd[be[internal.blah.com]]] [dp_get_options] (6): Option ldap_default_authtok_type has value password
    [sssd[be[internal.blah.com]]] [dp_get_options] (6): Option ldap_default_authtok has a binary value.
    ...
    ...
    [sssd[be[internal.blah.com]]] [sdap_get_generic_done] (6): Search result: Inappropriate authentication(48), Anonymous access is not allowed.

    ldap log ..

    [12/Dec/2012:15:32:37 -0400] conn=139 fd=67 slot=67 connection from 10.72.100.196 to 10.72.100.151
    [12/Dec/2012:15:32:37 -0400] conn=139 op=0 UNPROCESSED OPERATION - Anonymous access not allowed
    [12/Dec/2012:15:32:37 -0400] conn=139 op=0 RESULT err=48 tag=101 nentries=0 etime=0
    [12/Dec/2012:15:32:37 -0400] conn=139 op=1 UNBIND

    sssd.conf information ..

    [domain/internal.blah.com]
    debug_level = 10
    enumerate = true
    cache_credentials = true

    id_provider = ldap
    #access_provider = ldap
    auth_provider = krb5
    chpass_provider = krb5

    ldap_uri = ldaps://ldap.internal.blah.com
    ldap_krb5_init_creds = false
    ldap_schema = rfc2307bis
    ldap_default_bind_dn = cn=Directory Reader,dc=internal,dc=blah,dc=com
    ldap_default_authtok_type = password
    ldap_default_authtok = passW0rd
    ldap_search_base = cn=accounts,dc=internal,dc=blah,dc=com
    ldap_tls_reqcert = demand
    ldap_tls_cacert = /etc/ssl/certs/ca.pem

    krb5_kdcip = kerberos.internal.blah.com
    krb5_realm = INTERNAL.BLAH.COM
    krb5_changepw_principle = kadmin/changepw
    krb5_auth_timeout = 15
    krb5_kpasswd = kerberos.internal.blah.com

    I can perform an ldapsearch from the same host using simple auth to ldaps with no errors, and I have verified that the SSL cert is trusted by the client using openssl s_client. I've attempted to get this working without SSL and I end up with the same results.

  2. #2
    Join Date
    Dec 2012
    Beans
    1

    Re: SSSD ldap auth not binding correctly

    Quote Originally Posted by TerrySoucy View Post
    I am having troubles with getting SSSD to auth against my ldap server with a bind_dn. I turned off anonymous bind on the ldap server, and had no issues with getting SSSD in Ubuntu 12.04 to work with the ldap_default_bind_dn, but for some reason, Ubuntu 10 with the same credentials will NOT work. It looks like SSSD attempts to make an anonymous bind, even though a correct (and recognized) ldap_default_bind_dn ...
    Older versions of SSSD do not behave properly when anonymous auth is turned off completely on the LDAP server. This is technically a violation of the LDAP standard (which requires that the RootDSE be accessible anonymously no matter what). The reason for this is that before initiating the authenticated connection, we first connect to the RootDSE anonymously to ask it what are the capabilities of the system (which includes the available authentication methods for that server as well as available plugins).

    Newer versions of SSSD (1.8.3 and later) now have a workaround for this problem. If it is denied access anonymously it will then just make a best guess and try to connect with an authenticated connection.

    So your choices here are

    1. Update to SSSD 1.8.3 or later
    2. Reconfigure the LDAP server so that it allows anonymous binds on the RootDSE. You can continue to disallow anonymous binds to the rest of the tree.

  3. #3
    Join Date
    Aug 2007
    Beans
    2

    Re: SSSD ldap auth not binding correctly

    Allowing anon bind to RootDSE was the key. Problem solved. Many thanks!

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •