SSSD can't contact LDAP server
Issue
- We are currently trying to deploy SSSD for our ldap connectivity using tls/ssl. Everything used to work fine with nss_ldap as well as openldap tools (ldapsearch...) and pam_ldap for authentication. But with SSSD we have the following error message in sssd_LDAP.log :
[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'LDAP'
[sssd[be[LDAP]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'server123' in files
[sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'server123' as 'resolving name'
[sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server 'server123' as 'name resolved'
[sssd[be[LDAP]]] [be_resolve_server_process] (0x0200): Found address for server server123: [9.2.65.10] TTL 7200
[sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): Constructed uri 'ldaps://server123:1636'
[sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
[sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][].
[sssd[be[LDAP]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
[sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error
[sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
[sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn!
[sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
[sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=user,ou=linux,dc=example,dc=com
[sssd[be[LDAP]]] [simple_bind_send] (0x0020): ldap_bind failed (-1)[Can't contact LDAP server]
[sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 1636 of server 'server123' as 'not working'
- Higher debug level does not bring more information. We have tried to switch "ldap_tls_reqcert" parameter to 'never' to bypass any potential certificate issue without any improvement.
Here is the domain entry from sssd.conf:
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://server123:1636
ldap_search_base = ou=lnix,dc=example,dc=com
ldap_default_bind_dn = cn=user,ou=linux,dc=example,dc=com
ldap_default_authtok = xxxx
ldap_tls_cacert = /etc/openldap/cacerts/server123_rootca.pem
enumerate = true
ldap_referrals = false
ldap_schema = rfc2307
debug_level = 6
ldap_tls_reqcert = never
- Using this openldap configuration file, the following ldapsearch works fine and returns results correctly as expected :
ldapsearch -x -D "cn=user,ou=linux,dc=example,dc=com" -w xxxxxx -b "ou=lnix,dc=example,dc=com" objectclass=*
Environment
- Red Hat Enterprise Linux 6.4
- SSSD 1.9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
