[Pkg-sssd-devel] Bug#840617: sssd-ldap STARTTLS issue; plain ldapsearch -ZZ works

Francesco Malvezzi francesco.malvezzi at unimore.it
Thu Oct 13 09:51:52 UTC 2016 

Package: sssd-ldap
Version: 1.14.1-1
Severity: important

Dear Maintainer,

pam-sss doesn't allow login to LDAP users:

Oct 13 10:58:38 walrus sshd[4488]: pam_sss(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=******
user=*****
Oct 13 10:58:38 walrus sshd[4488]: pam_sss(sshd:auth): received for user
*****: 4 (System error)

On LDAP server ldap.log:

Oct 13 11:36:37 ldap slapd[665]: conn=1629798 fd=23 ACCEPT from
IP=********:51332 (IP=0.0.0.0:389)
Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 STARTTLS
Oct 13 11:36:37 ldap slapd[665]: conn=1629798 op=0 RESULT oid= err=0
text=
Oct 13 11:36:37 ldap slapd[665]: conn=1629798 fd=23 closed (TLS
negotiation failure)

this is confirmed on /var/log/sss/LDAP.log (debuglevel 6)

[...]
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_sys_connect_done]
(0x0100): Executing START TLS
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_connect_done]
(0x0080): START TLS result: Success(0), (null)
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [fo_set_port_status]
(0x0100): Marking port 389 of server 'ldap.example.org' as 'working'
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [set_server_common_status]
(0x0100): Marking server 'ldap.example.org' as 'working'
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [fo_set_port_status]
(0x0400): Marking port 389 of duplicate server 'ldap.example.org' as
'working'
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [simple_bind_send] (0x0100):
Executing simple bind as: uid=user,ou=people,dc=example,dc=org
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [sdap_process_result]
(0x0040): ldap_result error: [Can't contact LDAP server]
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP
Request [PAM Authenticate #14]: Request handler finished [0]: Successo
(Thu Oct 13 11:39:36 2016) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP
Request [PAM Authenticate #14]: Receiving request data.
[...]

ldapsearch -x -ZZ ... works fine.

My /etc/sssd/sssd.conf is:

[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP

[nss]

[pam]

# Example LDAP domain
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://ldap.example.org
ldap_search_base = dc=example,dc=org
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
cache_credentials = true
enumerate = False

There is also another sssd malfunctioning worth mentioning:

root at walrus:/var/log/sssd# sssctl domain-list
Unable to get domains list [3]: Communication error
org.freedesktop.DBus.Error.Spawn.ExecFailed: Cannot launch daemon, file
not found or permissions invalid

I don't know if it's related or actually cares at all.

Thank you so much for your time,

Francesco


-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.7.0-1-amd64 (SMP w/1 CPU core)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sssd-ldap depends on:
ii  libc6             2.24-3
ii  libldap-2.4-2     2.4.42+dfsg-2+b3
ii  libsss-idmap0     1.14.1-1
ii  sssd-common       1.14.1-1
ii  sssd-krb5-common  1.14.1-1

Versions of packages sssd-ldap recommends:
ii  ldap-utils  2.4.42+dfsg-2+b3

Versions of packages sssd-ldap suggests:
pn  libsasl2-modules-ldap  <none>

-- no debconf information


-- 
Servizio gestione identità
Via Campi, 213/b
41125 Modena

More information about the Pkg-sssd-devel mailing list