No matter what I try I am unable to get sssd to connect to my ldap/FreeIPA server via LDAPS/636. Checking debug shows that sssd is showing that it should be using 636… however packet captures and lsof show otherwise.
Client is RHEL6.4, sssd 1.9.2, ipa-client 3.0.0
snippit of sssd logs
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is neutral
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_cont] (0x0100): Searching for servers via SRV query '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.int.example.net'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'resolving name'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve AAAA record of 'ipa01.int.example.net' in files
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 'ipa01.int.example.net' in DNS
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'name resolved'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_resolve_service_send] (0x0100): Trying to resolve service 'IPA'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [resolve_srv_send] (0x0200): The status of SRV lookup is resolved
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_resolve_server_process] (0x0200): Found address for server ipa01.int.example.net: [192.168.1.51] TTL 86400
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [sasl_bind_send] (0x0100): Executing sasl bind mech: GSSAPI, user: host/ipaclient01.int.example.net
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [child_sig_handler] (0x0100): child [30466] finished successfully.
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [fo_set_port_status] (0x0100): Marking port 636 of server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [set_server_common_status] (0x0100): Marking server 'ipa01.int.example.net' as 'working'
(Wed Apr 23 09:35:35 2014) [sssd[be[int.example.net]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
from sssd.conf
[domain/int.example.net]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = int.example.net
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipaclient01.int.example.net
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa01.int.example.net
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2
domains = int.example.net
Best Answer
SSSD communicates with FreeIPA via 389 port. However, it always sends the STARTTLS (see
ldap_tls_cacertoption) command first (related question on stackoverflow) to initiate TLS/SSL connection - it does not perform authentication over unencrypted channel.Related info in
man sssd-ldapwhich also applies to IPA provider: