[Freeipa-users] RHEL 5 client?

Alexander Bokovoy abokovoy at redhat.com
Thu Apr 2 20:53:53 UTC 2015 

On Thu, 02 Apr 2015, Guertin, David S. wrote:
>>Can you try searching the compat tree with ldapsearch to see if an entry turns
>>up? IIRC you need to search for a particular entry, not for any (not ie cn=*),
>>but if you crank up the debug_level in the domain section, then sssd should
>>log the searches to /var/log/sssd/sssd_default.log
>
>Here's the result of ldapsearch on the RHEL 5 client (the same command
>works on RHEL 6):
>
># ldapsearch -h middlebury.edu -p 389 -D 'MIDD\admin' -W -b "dc=middlebury,dc=edu" -s sub "cn=juser,cn=users,dc=middlebury,dc=edu"
>Enter LDAP Password:
>SASL/GSSAPI authentication started
>ldap_sasl_interactive_bind_s: Local error (-2)
>	additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (No credentials cache found)
This is wrong use of ldapsearch -- if you are using simple bind, make
sure you tell ldapsearch about it. However, I'm not sure what you wanted
to show as both hostname and base DN are different from what SSSD tries
in the logs below. Also, unlike Active Directory, IPA LDAP does not
(yet) accept short version of bind DN, you have to specify it fully.
If you wanted to have Kerberos auth working on RHEL5, that is something
that might or might not work for AD users depending on many
circumstances, mostly related to the need to manually configure
krb5.conf to know about AD realm and how to contact servers there but
also due to possible issues with auth_to_local rulesets (if they even
exist in that Kerberos library version).

In case of AD users there is a sequence to follow for LDAP
authentication if you want to repeat what SSSD does:

1. Search user with filter '(uid=username at domain)' to get the entry into
   compat tree.
2. Bind as uid=username at domain,cn=users,cn=compat,$BASEDN to trigger
   authentication check.

This is how various LDAP-based NSS modules work, be it nss_ldap or
pam-nss-ldapd, or SSSD.

So, let's say, you have kerberos keytab with a host principal in
/etc/krb5.keytba. The sequence to emulate what SSSD does would be

kinit -k host/`hostname`
ldapsearch -Y GSSAPI -H ldap://genet.ipa.middlebury.edu \
           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
           '(uid=admin at middlebury.edu)'

As result, we have 'admin at middlebury.edu' inserted in the compat tree, and can
do a bind as 'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu'

ldapsearch -x -H ldap://genet.ipa.middlebury.edu \
           -D 'uid=admin at middlebury.edu,cn=users,cn=compat,dc=ipa,dc=middlebury,dc=edu' \
           -b cn=compat,dc=ipa,dc=middlebury,dc=edu -s sub \
           '(uid=admin at middlebury.edu)'

This would reproduce what SSSD was supposed to do. If you get these
ldapsearches to work, we can look at what is SSSD doing.
-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list