LDAPSを使用していないFreeIPAクライアントのsssd
何を試しても、sssdをLDAPS/636経由でldap/FreeIPAサーバーに接続できません。デバッグをチェックすると、sssdは636を使用する必要があることを示しています...ただし、パケットキャプチャとlsofはそうでないことを示しています。
クライアントはRHEL6.4、sssd 1.9.2、ipa-client3.0.0です。
sssdログの抜粋
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'resolving name'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in DNS
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'name resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: Host/ipaclient01.int.example.net
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [child_sig_handler] (0x0100): child [30466] finished successfully.
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
sssd.confから
[domain/int.example.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = int.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.int.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa01.int.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = int.example.net
SSSDは389ポートを介してFreeIPAと通信します。ただし、TLS/SSL接続を開始するために常に最初にSTARTTLS(ldap_tls_cacertオプションを参照)コマンドを送信します( stackoverflowに関する関連質問 )-暗号化されていないチャネルで認証を実行しません。
IPAプロバイダーにも適用されるman sssd-ldapの関連情報:
LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel.