服务器 Gind.cn
  1. 服务器 Gind.cn
  3. FreeIPA客户端的sssd不使用LDAPS
Intereting Posts
比赛结束后grep线 Linux服务器迁移核对清单 强制AD安全组更改显示在Exchange中 访问Linux机器上的文件,在Windows资源pipe理器中使用UNCpath 将常见的Web应用程序代码分享给许多Web服务器 我该如何防止OpenVPN破坏本地路由? VMWare客户信息 – 错误的IP返回 在哪个帐户下启动和closures脚本在Windows 7和XP上执行? 什么是推荐的图像networking服务器? Sql Express 2012升级到SP1 在CentOS 5.3中启动kde的正确方法是? Debian Jessie无法安装openjdk-8-jre-headless Nginx:如何在多个位置重新使用此代理传递configuration? 如何查看数字证书.cer文件的详细信息? 如果通过身份validation,Microsoft TMG 2010 Sp1会覆盖吗?

FreeIPA客户端的sssd不使用LDAPS

无论我尝试什么,我都无法通过LDAPS / 636将sssd连接到我的ldap / FreeIPA服务器。 检查debugging显示sssd显示它应该使用636 …但是数据包捕获和lsof显示否则。

客户端是RHEL6.4,sssd 1.9.2,ipa-client 3.0.0

sssd日志的snippit 

(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.int.example.net' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.int.example.net' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in files (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'resolving name' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa01.int.example.net' in files (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in DNS (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'name resolved' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400 (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400 (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ipaclient01.int.example.net (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [child_sig_handler] (0x0100): child [30466] finished successfully. (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ipa01.int.example.net' as 'working' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'working' (Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.

从sssd.conf 

 [domain/int.example.net] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = int.example.net id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipaclient01.int.example.net chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa01.int.example.net ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = int.example.net

SSSD通过389端口与FreeIPA进行通信。 但是,它始终首先发送STARTTLS(请参阅ldap_tls_cacert选项)命令( 有关stackoverflow的问题 )以启动TLS / SSL连接 – 它不会通过未encryption的通道执行身份validation。

man sssd-ldap中也适用于IPA提供者的相关信息: 

  LDAP back end supports id, auth, access and chpass providers. If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel.