Назад | Перейти на главную страницу

Sssd клиента FreeIPA не использует LDAPS

Что бы я ни пытался, я не могу заставить sssd подключиться к моему серверу ldap / FreeIPA через LDAPS / 636. Проверка отладки показывает, что sssd показывает, что он должен использовать 636 ... однако захват пакетов и lsof показывают иначе.

Клиент - RHEL6.4, sssd 1.9.2, ipa-client 3.0.0

фрагмент журналов sssd

(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'resolving name'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in DNS
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'name resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ipaclient01.int.example.net
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [child_sig_handler] (0x0100): child [30466] finished successfully.
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.

из sssd.conf

[domain/int.example.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = int.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.int.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa01.int.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = int.example.net

SSSD связывается с FreeIPA через порт 389. Однако он всегда отправляет STARTTLS (см. ldap_tls_cacert option) сначала команда (связанный вопрос о stackoverflow) для инициирования TLS / SSL-соединения - аутентификация по незашифрованному каналу не выполняется.

Связанная информация в man sssd-ldap что также относится к провайдеру IPA:

   LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is
  required.  sssd does not support authentication over an unencrypted channel.