2

I’m currently working on deploying OpenLDAP and SSSD for authentication. When I try to id a user that is stored within LDAP I get the response no such user.

The user has been added to LDAP correctly and I can perform an ldapsearch –ZZ and find the user.

I have tried running sssd –i –d9 and get the following response when trying to id the user:

[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x418850:1:ldaptest@LDAP] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [LDAP][4097][1][name=ldaptest] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x418850:1:ldaptest@LDAP] [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0xcfac90 [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[LDAP]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[LDAP]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [getAccountInfo] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=ldaptest] [sssd[be[LDAP]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline [sssd[be[LDAP]]] [be_req_set_domain] (0x0400): Changing request domain from [LDAP] to [LDAP] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x22e3960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x22db230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider Error: 1, 11, Fast reply - offline Will try to return what we have in cache [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x418850:1:ldaptest@LDAP] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x22da6d0][20] [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server 'hostname' as 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP' [sssd[be[LDAP]]] [get_server_status] (0x1000): Status of server 'hostname' is 'name resolved' [sssd[be[LDAP]]] [get_port_status] (0x1000): Port status of port 636 for server 'hostname' is 'not working' [sssd[be[LDAP]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP' [sssd[be[LDAP]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5 [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error]) [sssd[be[LDAP]]] [be_mark_offline] (0x2000): Going offline! [sssd[be[LDAP]]] [be_ptask_create] (0x0400): Periodic task [Check if online (periodic)] was created [sssd[be[LDAP]]] [be_ptask_schedule] (0x0400): Task [Check if online (periodic)]: scheduling task 78 seconds from now [1438098389] [sssd[be[LDAP]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks. [sssd[be[LDAP]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1 [sssd[nss]] [sbus_remove_timeout] (0x2000): 0xe6d960 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0xe65230 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Offline [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider

The hostname hostname resolves, the port 636 is definitely open (have turned iptables off and also able to telnet)

The following is my sssd config file:

[sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] filter_users = root, ldap, named [pam] # LDAP domain [domain/LDAP] ldap_tls_reqcert = demand auth_provider = ldap ldap_schema = rfc2307bis ldap_search_base = dc=test,dc=domain ldap_group_member = uniquemember id_provider = ldap ldap_id_use_start_tls = true chpass_provider = ldap ldap_uri = ldaps://hostname:636/ ldap_chpass_uri = ldaps://hostname:636/ cache_credentials = true ldap_tls_cacertdir = /etc/openldap/cacerts/ ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem entry_cache_timeout = 600 ldap_network_timeout = 3 ldap_access_filter = (&(object)(object))

I have been unsuccessful in finding answers in Google. Any pointers towards a solution would be greatly appreciated.

Many Thanks.

Improve this question
1
  • 1
    Please add an example LDAP object in the question. Commented Jul 25, 2016 at 16:24

2 Answers 2

Reset to default
3 
ldap_id_use_start_tls = true

is definitely wrong.

In order to crypt your network traffic to LDAP you have to choices:

  • Older SSL on port 636
  • Newer StartTLS on port 389 (connection starts in plain then upgrades to TLS)

StartTLS and SSL are mutally exclusive.

Try removing the offending line.

Improve this answer
1

ldap_access_filter looks weird. Try without it.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.