On Wed, Jun 09, 2010 at 09:34:34AM -0500, Michael Cronenworth wrote: > I have attempted to enable SSSD for my work LDAP server, which I also > administer, on a fresh F13 install. Once I check the boxes in the > Authentication app, hit apply, and reboot, I cannot login with any LDAP > user. Under the local user, I cannot perform getent on any LDAP user. I > can, however, set my nsswitch.conf to "files ldap" and perform getent > commands successfully. The LDAP server is configured correctly and has > been utilized by pre-F13 machines and Windows machines for about 2 years. Setting nsswitch.conf to "ldap" doesn't test sssd -- the source for that information should be listed as "sss" if you want to use sssd. > I noticed there is a QA test case[1] for this particular feature, but it > isn't working for me. Is there something I'm missing beyond both the > Authentication GUI app *and* the testcase page? > > [1] > https://fedoraproject.org/wiki/QA:Testcase_SSSD_LDAP_Identity_and_LDAP_Authentication_with_TLS The example sssd.conf doesn't look right to me -- the bits in there that mention Kerberos-specific (krb5*) settings don't fit at all since the auth_provider isn't set to Kerberos (krb5) and the client isn't being told to use Kerberos to authenticate to the directory server. There aren't any of the TLS-related settings that sssd-ldap(5) details in there, either. I'm afraid I can't offer any specific advice because I don't know much about your setup, but I'd expect to see something more like this: [domains/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.corp.example.com/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True ldap_tls_cacertdir = /etc/openldap/cacerts ldap_user_gecos = cn debug_level = 0 cache_credentials = True min_id = 1000 If you want to use LDAP-over-SSL instead of LDAP-with-StartTLS, you should be able to set "ldap_id_use_start_tls" to "False" and change the ldap_uri to start with "ldaps://" instead of "ldap://";. Don't forget that when you're using a directory to hold certificates, you almost always have to run "c_rehash" (from the openssl-perl package) on the directory, and to make sure that certificates in the directory have names ending in ".pem" so that "c_rehash" will find them. If that doesn't point you in the right direction, you might want to ask on the sssd list. HTH, Nalin -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
