[Freeipa-users] SSS problems with eDirectory
Scott Duckworth
sduckwo at clemson.edu
Wed Jul 21 19:22:29 UTC 2010
I'm trying to setup a vanilla installation of Fedora 13 to authenticate
against an eDirectory server. We have this working on RHEL5 using nss_ldap
and pam_ldap, but doing this same configuration on Fedora 13 did not work.
So I'm now attempting the configuration using SSS. I used the graphical
tools to setup the basics, then started editing /etc/sssd/sssd.conf to get
the specifics right.
The directory server uses rfc2307bis groups. User DNs do not have memberOf
attributes or any shadow or kerberos attributes. Kerberos is not available,
LDAP is used for authentication.
The SSSD client is sssd-1.2.1-15.fc13.x86_64.
/etc/sssd/sssd.conf:
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = CLEMSONU
[nss]
debug_level = 7
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 1
entry_cache_nowait_timeout = 1
[pam]
debug_level = 7
reconnection_retries = 3
[domain/CLEMSONU]
debug_level = 20
enumerate = False
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = none
min_id = 1000
ldap_uri = ldaps://clemsonuldap.clemson.edu
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
tls_reqcert = demand
ldap_default_bind_dn = cn=CoESProxy,ou=proxyUsers,o=CLEMSONU
ldap_default_authtok_type = password
ldap_default_authtok = xxxxxx
ldap_schema = rfc2307bis
ldap_search_base = ou=SoC,ou=CES,o=CLEMSONU
ldap_user_search_base = o=CLEMSONU
ldap_group_search_base = o=CLEMSONU
ldap_user_shell = coesLoginShell
ldap_user_gecos = fullName
ldap_user_fullname = fullName
ldap_pwd_policy = none
nss_sss appears to be mostly functioning. "getent passwd sduckwo" works.
"getent group xxxx" is flaky - the group name and GID are always found, but
group members are only sometimes reported, with no rhyme or reason why they
are or are not reported. For example:
[root at duck2 ~]# getent group coes_socunix
coes_socunix:*:120105:sduckwo,duckwos,jdabney,mdabney
The log shows:
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [be_get_account_info] (4):
Got request for [4098][1][name=coes_socunix]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6):
calling ldap_search_ext with
[(&(cn=coes_socunix)(objectclass=posixGroup))][o=CLEMSONU].
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [objectClass]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [cn]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [userPassword]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [gidNumber]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [member]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [nsUniqueId]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [modifyTimestamp]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (8):
ldap_search_ext called, msgid = 5
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_parse_entry] (9):
OriginalDN: [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU].
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0x1cf13c0], connected[1], ops[0x1cc6ca0], ldap[0x1cca100]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_done] (6):
Search result: Success(0), (null)
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_process]
(6): Search for groups, returned 1 results.
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: sh[0x1cf13c0], connected[1], ops[(nil)], ldap[0x1cca100]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (8):
Trace: ldap_result found nothing!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): start ldb
transaction (nesting: 0)
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (7):
Adding original DN [cn=coes_socunix,ou=group,ou=SoC,ou=CES,o=CLEMSONU] to
attributes of [coes_socunix].
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_group_send] (6):
Storing info for group coes_socunix
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_groups_loop] (9):
Group 0 processed!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (7):
Adding member users to group [coes_socunix]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships] (9):
[IPA or AD Schema]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #0 (cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU):
[name=sduckwo,cn=users,cn=CLEMSONU,cn=sysdb]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #1 (cn=DUCKWOS,ou=d,ou=Students,o=CLEMSONU):
[name=duckwos,cn=users,cn=CLEMSONU,cn=sysdb]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #2 (cn=JDABNEY,ou=j,ou=Students,o=CLEMSONU):
[name=jdabney,cn=users,cn=CLEMSONU,cn=sysdb]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #3 (cn=MDABNEY,ou=m,ou=Students,o=CLEMSONU):
[name=mdabney,cn=users,cn=CLEMSONU,cn=sysdb]
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #4 (cn=DABNEY,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #5 (cn=DABNEY2,ou=d,ou=EMPLOYEE,o=CLEMSONU): not found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #6 (cn=MADPROF,ou=m,ou=EMPLOYEE,o=CLEMSONU): not found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sysdb_search_entry_done]
(6): Error: Entry not Found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_fill_memberships]
(7): member #7 (cn=WAYNE,ou=w,ou=EMPLOYEE,o=CLEMSONU): not found!
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_save_grpmem_send] (6):
Storing members for group coes_socunix
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [ldb] (9): commit ldb
transaction (nesting: 0)
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [sdap_get_groups_done] (9):
Saving 1 Groups - Done
(Wed Jul 21 14:55:39 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4):
Request processed. Returned 0,0,Success
Members #4 - #7 were not found, even though they are valid user DNs. Any
thoughts?
Moving on...
pam_sss does not appear to work. Here's some entries from the SSS log when
trying to login to the system on the command-line:
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] (4):
Executing simple bind as: cn=CoESProxy,ou=proxyUsers,o=CLEMSONU
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_done] (3): Bind
result: Success(0), (null)
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (6):
calling ldap_search_ext with
[(&(uid=sduckwo)(objectclass=posixAccount))][o=CLEMSONU].
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [objectClass]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [uid]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [userPassword]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [uidNumber]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [gidNumber]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [fullName]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [homeDirectory]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [coesLoginShell]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [krbPrincipalName]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [fullName]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [memberOf]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [nsUniqueId]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [modifyTimestamp]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowLastChange]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowMin]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowMax]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowWarning]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowInactive]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowExpire]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [shadowFlag]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [krbLastPwdChange]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [krbPasswordExpiration]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_generic_send] (7):
Requesting attrs: [pwdAttribute]
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7):
Adding original DN [cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU] to attributes of
[sduckwo].
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7):
Original memberOf is not available for [sduckwo].
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (7):
User principal is not available for [sduckwo].
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_save_user_send] (6):
Storing info for user sduckwo
Up to here, everything looks good. It would be nice to not ask for all of
the shadow and krb attributes since they don't exist in our directory, but
no harm done.
But then things start to go wrong:
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_process]
(9): Process user's groups
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_initgr_nested_send]
(4): User entry lacks original memberof ?
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_get_initgr_done] (9):
Initgroups done
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [acctinfo_callback] (4):
Request processed. Returned 3,2,Init Groups Failed
Our directory doesn't use the memberOf user attribute, it just uses
rfc2307bis style groups (objectClass=posixUser, member=<user DN>).
Then, here's where things really go awry:
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]]
[find_password_expiration_attributes] (9): No password policy requested.
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [simple_bind_send] (4):
Executing simple bind as: cn=SDUCKWO,ou=s,ou=EMPLOYEE,o=CLEMSONU
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [sdap_process_result] (4):
ldap_result gave -1, something bad happend!
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [auth_bind_user_done] (9):
Found ppolicy data, assuming LDAP password policies are active.
(Wed Jul 21 12:32:24 2010) [sssd[be[CLEMSONU]]] [be_pam_handler_callback]
(4): Backend returned: (3, 4, <NULL>) [Internal Error (Interrupted system
call)]
"something bad happened" isn't very useful. And since SSS refuses to try
and authenticate users without an encrypted connection, I can't easily use
wireshark and friends to debug at the protocol level. While I could
probably patch the source to print the actual LDAP error with
ldap_err2string(), or maybe gdb the process and set a breakpoint when things
go wrong to hopefully get some more useful information, this is beyond what
I'd normally consider doing when deploying new software. Any suggestions?
Moving on...
We will need to dereference LDAP aliases but I have not yet been able to
find a setting to enable this. I also have not found the equivalent of the
pam_password_prohibit_message setting in /etc/ldap.conf; while not strictly
required, it is nice to refer users to the proper way to change passwords in
our environment.
Any help would be appreciated. Thanks!
Scott Duckworth, Systems Programmer II
Clemson University School of Computing
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100721/31d13b3a/attachment.htm>
More information about the Freeipa-users
mailing list