docker-openldap icon indicating copy to clipboard operation
docker-openldap copied to clipboard
verified publisher icon osixia

sssd integration - what to put where?

Open PaulReiber opened this issue 9 years ago • 1 comments

Greetings,

I'm working to get sssd (on one testing server) hooked to an osixia/openldap service (on another testing server). Both servers are running ubuntu 14.04

I've made good progress - 'getent passwd' returns actual LDAP users (yay!) ...but ssh will not let ldap users login. The various errors I've gotten all point at TLS.

Here are lines from the debug log from sssd associated with an attempt to login as a user defined in ldap:

(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [be_resolve_server_process] (0x0200): Found address for server 172.16.100.118: [172.16.100.118] TTL 7200
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldap://172.16.100.118:389'
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://172.16.100.118:389/??base] with fd [16].
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_sys_connect_done] (0x0100): Executing START TLS
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_process_result] (0x2000): Trace: sh[0x1799cc0], connected[1], ops[0x179a7e0], ldap[0x1793130]
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), (null)
(Thu Dec 22 15:06:17 2016) [sssd[be[example.com]]] [sdap_connect_done] (0x0080): ldap_install_tls failed: [Connect error] [A TLS packet with unexpected length was received.]

I've tried the various "don't worry about the certs" strategies I could find, but nothing so far has led to successful logins. For example, setting ldap_tls_reqcert=never didn't help.

So, my next thought was to copy the right cert files onto the client server running sssd, and tell sssd about them, so it can verify/confirm the certs. (If you have a better idea, by all means, let me know)

It was easy enough to docker exec -it into the openldap image and use 'find' to find pem files.

I copied them out of the image:

# docker cp openldap:/container/service/slapd/assets/certs/dhparam.pem ~
# docker cp openldap:/container/service/\:ssl-tools/assets/default-ca/default-ca.pem ~
# docker cp openldap:/container/service/\:ssl-tools/assets/default-ca/default-ca-key.pem ~

Now that I have these files I need to determine where to put them on the server that's running sssd, and determine if there are other steps I need to take to get them recognized properly.

My research continues, but in hopes of shortcutting it a bit, I welcome hints, tips, and advice regarding this that you all might have.

I'll be happy to help with writing up a blog post or guide on how to get this all working, once it does.

PaulReiber avatar Dec 22 '16 23:12 PaulReiber

I hate to bump something this old, but I recently had the fun of figuring out why I couldn't authenticate using SSSD against this containerized OpenLDAP server. I had similar issues as you pointed out but eventually got it working. I was missing a few things which I will point out below. I hope this will help you and anyone else trying to get LDAP auth to work with sssd.

  1. SSSD requires TLS or SSL for auth to work. I couldn't get it to work without it. ldap_tls_reqcert=never won't work.
  2. If you're relying on the bootstrap script on this container, you need to add LDAP_TLS_VERIFY_CLIENT=try as an environment variable. This will configure the LDAP server to proceed with connections except when a bad certificate is given.
  3. Copy the generated certificates from the container. The cert are at /container/run/service/slapd/assets/certs/{ca,ldap}.crt. Copy it to /etc/openldap/certs/ on the LDAP client running sssd, then run openssl rehash /etc/openldap/certs.
  4. Configure SSSD to use TLS. I used something along the lines of:
[sssd]
config_file_version = 2
services = nss, pam
domains = default

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap.example.com
ldap_search_base = DC=example,DC=com
ldap_default_bind_dn=cn=readonly,dc=example,dc=com
ldap_default_authtok=readonly

ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
ldap_tls_cacertdir = /etc/openldap/certs

kohrar avatar Jul 21 '21 16:07 kohrar