PDA

View Full Version : SLE 12 Ldap Authentication to clustered LDAP Server



jqueiroz
03-Jun-2015, 21:09
Hi,

I need to setup LDAP Authentication to a SLE12 server. My LDAP server is a cluster-based OES 2 SP3 server.

Here's my sssd.conf:


[domain/MyLDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldap://ldap.mydomain
ldap_default_base_dn = cn=LDAP,o=MyOrg
ldap_search_base = o=MyOrg
ldap_tls_cacert = /etc/sssd/certs/O=MyOrg,OU=OrganizationalCA.pem
ldap_tls_cacertdir = /etc/sssd/certs
debug_level = 20
case_sensitive = true
create_homedir = true
enumerate = true
cache_credentials = false
ldap_id_use_start_tls = true
tls_reqcert = allow
ldap_pwd_policy = none
ldap_network_timeout = 3
access_provider = ldap
ldap_access_filter = (|(groupMembership=cn=LDAPEnabledUsers,ou=Groups,o =MyOrg))


I have two OES 2 SP3 Servers (server1 and server2) working on a NCS Cluster. The FQDN "ldap.mydomain" points to the Cluster's "Master IP Address", so the active server will answer ldap requests.

This used to work on SLE10 and SLE11 (without TLS), but now I'm installing SLE12, I'm facing problems.

When I set up SSSD to use the neutral address, I got the error below:


sle12server sssd[be[MyLDAP]]: Could not start TLS encryption. TLS: hostname does not match CN in peer certificate

I understand that I'm getting this error because the active server isn't presenting itself as "ldap.mydomain", but "CN=server1,O=MyORG" (or "CN=server2,O=MyORG" if this is the active server). For instance, if I point "ldap_uri" to server1, authentication works; but what if server1 is offline?

So, I need help to make SSSD accept the server certificates, or maybe try to authenticate in both servers.

Can anyone help me?

jqueiroz
03-Jun-2015, 21:27
Thanks you all that tried to help me. I found in the "sssd-ldap" that the "ldap_uri" parameter may receive a comma-separated list of LDAP servers. The solution was:


ldap_uri=ldaps://server1.mydomain,ldaps://server2.mydomain

Now I can progress to other tunnings like creation of home directory and server timeouts.

hangarbait
16-Jun-2016, 23:41
For this use case, and the LDAP ID and AUTH providers are being used, I would do the following to implement the functionality expressed.

Use the following directive to address the TLS errors due to the cert cn mismatches:

ldap_tls_reqcert = never

To accommodate the eventuality of a LDAP server being down the SSSD offline authentication capabilities can be used.

Set the following directive to true:

cache_credentials = true

If the LDAP server contacted was down or didn't respond the SSSD would authenticate users from the it's cache, provided the user has logged in before and is cached.

If the SSSD is used to cache users the Name Service Caching Daemon (nscd) should be disabled, or have user and group caching disabled, minimally.


-- lawrence