Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Native LDAP Authentications Failings #1243

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

Native LDAP Authentications Failings #1243

sssd-bot opened this issue May 2, 2020 · 0 comments
Assignees
@sumit-bose
Labels
Closed: Fixed Issue was closed as fixed.

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/201

  • Created at 2009-09-23 21:13:04 by jgalipea
  • Closed as Fixed
  • Assigned to sbose

Description[[BR]]
With native ldap configured domain and auth-module = ldap, authentications are failing. Password is correct, I have validated with ldap binds and proxy ldap tests.[[BR]]
[[BR]]

sssd.conf[[BR]]

[services]
description = Local Service Configuration
activeServices = nss, dp, pam

[services/nss]
description = NSS Responder Configuration
# the following prevents sssd for searching for the root user/group in
# all domains (you can add here a comma separated list of system accounts are
# always going to be /etc/passwd users, or that you want to filter out)
filterGroups = root
filterUsers = root

[services/dp]
description = Data Provider Configuration

[services/pam]
description = PAM Responder Configuration

[services/monitor]
description = Service Monitor Configuration
#if a backend is particularly slow you can raise this timeout here
sbusTimeout = 30

[domains]
description = Domains served by SSSD
domains = LDAP

[domains/LDAP]
description = Proxy request to our LDAP server
enumerate = TRUE
minId = 1000
maxId = 1010
useFullyQualifiedNames = TRUE
cache-credentials = TRUE

provider = ldap

auth-module = ldap
ldapUri = ldap://ldap.example.com (your ldap server)
userSearchBase = ou=People,dc=example,dc=com
groupSearchBase = ou=Groups,dc=example,dc=com

pam.d/system-auth[[BR]]

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok
auth        sufficient    pam_sss.so use_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_sss.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     sufficient    pam_unix.so
session     required      pam_sss.so

Steps to Reproduce[[BR]]

  1. Install sssd with above sssd configuration (also nsswitch.conf necessary modification)[[BR]]
  2. ssh to SSSD client as userid@hostname and provide correct user password.[[BR]]

Version[[BR]]
sssd-0.6.0-0.2009092314git2d12249.fc11.i586

Comments

Comment from jgalipea at 2009-09-24 15:37:08

Lowering priority because authentications with native LDAP are working when directory server is SSSL secured. It needs to be documented that this is required for SSSD LDAP authentication. It also needs to be documented where the CA certificate needs to be if tls_reqcert = hard or demand.

doc: 0 => 1
priority: blocker => major
tests: 0 => 1

Comment from sgallagh at 2009-09-25 15:24:12

Fixed in e8eb42b

resolution: => fixed
status: new => closed

Comment from jgalipea at 2009-10-02 17:22:02

added automated tests for tls_reqcrt never and hard. hard using ldap_tls_cacertdir and ldap_tls_cacert.

tests: 1 => 0
testsupdated: 0 => 1

Comment from sgallagh at 2009-11-09 14:43:44

Fields changed

resolution: fixed =>
status: closed => reopened

Comment from sgallagh at 2009-11-09 14:43:54

Fields changed

owner: somebody => sbose
status: reopened => new

Comment from sgallagh at 2009-11-09 14:44:00

Fields changed

fixedin: => 0.7.0
resolution: => fixed
status: new => closed

Comment from sbose at 2010-07-22 16:43:55

ldap_tls_cacert and ldap_tls_cacertdir are described in the sssd-ldap man page and should be mentioend in the documentation. The documentation should underline that sssd only supports LDAP authentication if SSL/TLS is enabled and working. A pointer to a documentation which explains how openLDAP handles certificates on the client side might be useful.

Comment from dpal at 2012-01-19 02:20:18

Fields changed

rhbz: => 0

Comment from jgalipea at 2017-02-24 14:24:02

Metadata Update from @jgalipea:

  • Issue assigned to sbose
  • Issue set to the milestone: SSSD 0.6.0
@sssd-bot sssd-bot added the Closed: Fixed Issue was closed as fixed. label May 2, 2020
@sssd-bot sssd-bot closed this as completed May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sumit-bose @sssd-bot