Re: sssd and ldap config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 09, 2010 at 09:34:34AM -0500, Michael Cronenworth wrote:
> I have attempted to enable SSSD for my work LDAP server, which I also 
> administer, on a fresh F13 install. Once I check the boxes in the 
> Authentication app, hit apply, and reboot, I cannot login with any LDAP 
> user. Under the local user, I cannot perform getent on any LDAP user. I 
> can, however, set my nsswitch.conf to "files ldap" and perform getent 
> commands successfully. The LDAP server is configured correctly and has 
> been utilized by pre-F13 machines and Windows machines for about 2 years.

Setting nsswitch.conf to "ldap" doesn't test sssd -- the source for that
information should be listed as "sss" if you want to use sssd.

> I noticed there is a QA test case[1] for this particular feature, but it 
> isn't working for me. Is there something I'm missing beyond both the 
> Authentication GUI app *and* the testcase page?
> 
> [1] 
> https://fedoraproject.org/wiki/QA:Testcase_SSSD_LDAP_Identity_and_LDAP_Authentication_with_TLS

The example sssd.conf doesn't look right to me -- the bits in there that
mention Kerberos-specific (krb5*) settings don't fit at all since the
auth_provider isn't set to Kerberos (krb5) and the client isn't being
told to use Kerberos to authenticate to the directory server.  There
aren't any of the TLS-related settings that sssd-ldap(5) details in
there, either.

I'm afraid I can't offer any specific advice because I don't know much
about your setup, but I'd expect to see something more like this:
  [domains/default]
  id_provider = ldap
  auth_provider = ldap
  chpass_provider = ldap
  ldap_uri = ldap://ldap.corp.example.com/
  ldap_search_base = dc=example,dc=com
  ldap_id_use_start_tls = True
  ldap_tls_cacertdir = /etc/openldap/cacerts
  ldap_user_gecos = cn
  debug_level = 0
  cache_credentials = True
  min_id = 1000

If you want to use LDAP-over-SSL instead of LDAP-with-StartTLS, you
should be able to set "ldap_id_use_start_tls" to "False" and change the
ldap_uri to start with "ldaps://" instead of "ldap://";.

Don't forget that when you're using a directory to hold certificates,
you almost always have to run "c_rehash" (from the openssl-perl package)
on the directory, and to make sure that certificates in the directory
have names ending in ".pem" so that "c_rehash" will find them.

If that doesn't point you in the right direction, you might want to ask
on the sssd list.

HTH,

Nalin
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux