SSSD (ldaps) and port 389 logins

Issues related to applications and software problems
Post Reply
awreneau
Posts: 1
Joined: 2020/02/19 15:26:29

SSSD (ldaps) and port 389 logins

Post by awreneau » 2020/02/19 20:08:07

With MS changes in LDAP binding imminent see https://support.microsoft.com/en-us/hel ... or-windows and https://portal.msrc.microsoft.com/en-us ... /ADV190023 I've been tasked with ensuring that our LDAP connections from Linux hosts are made to port 636. I know that GSSAPI encrypts the connections on 389 but in short our AD team wants all traffic of 636.

Using the realm join command I'm able to join, at present, on port 389. I'll be adjusting the command accordingly going forward but for the interim I'm tweaking the clients already members of the domain.

Here is my problem. With id_provider and auth_provider both set to ad I can login w/ my AD creds and lookup users, realm list and the like. As soon as I change both to ldap (which seems to stop the connection from being made on 389) I can still successfully login but no id nor realm list.

below is the sssd.conf file

Code: Select all

[sssd]
domains = DOMAIN
config_file_version = 2
services = nss, pam
debug_level=9

[nss]

[domain/DOMAIN]
debug_level=9
ad_domain = DOMAIN
krb5_realm = DOMAIN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
#id_provider = ldap
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_enable_gc = False
auth_provider = ad
#auth_provider = ldap
ldap_uri = ldaps://DOMAIN:636
ldap_tls_cacert = /etc/openldap/cacerts/DOMAIN.pem
ad_hostname = FQDN
When I switch to ldap and restart sssd I get the following in /var/log/sssd/sssd_domain.log

Code: Select all

[sssd[be[DOMAIN.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
[sssd[be[DOMAIN.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
[sssd[be[DOMAIN.com]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
[sssd[be[DOMAIN.com]]] [be_mark_offline] (0x2000): Going offline!
krb5.conf

Code: Select all

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = true
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
 default_ccache_name = KEYRING:persistent:%{uid}

 dns_lookup_kdc = true
 default_realm = DOMAIN
[realms]
# EXAMPLE.COM = {
#  kdc = kerberos.example.com
#  admin_server = kerberos.example.com
# }

 DOMAIN.COM = {
 }

[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
 domain.com = DOMAIN.COM
 .domain.com = DOMAIN.COM
And openldap.conf

Code: Select all

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE   dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/DOMAIN.pem

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
URI ldaps://DOMAIN:636
BASE dc=DOMAIN,dc=com
Thanks for the help

Post Reply

Return to “CentOS 7 - Software Support”