CentOS 8.2 LDAP client configuration

Question

I'm trying to configure an LDAP client on a CentOS 8.2 machine, using SSSD.

The server doesn't use TLS or SSL.

I have modified the following configuration files :

/etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = default
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3
offline_credentials_expiration = 60

[domain/default]
ldap_schema = rfc2307
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://[...]
ldap_search_base = dc=[...]
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
cache_credentials = True
ldap_tls_reqcert = never
ldap_search_timeout = 50
ldap_network_timeout = 60

/etc/openldap/ldap.conf

URI ldap://[...]
BASE dc=[...]
TLS_CACERTDIR /etc/openldap/cacerts

I also ran this command to select SSSD :

$ authselect select sssd --force

And restarted the SSD service.

When I do an id <user> with an LDAP user, it returns me the information I'm expecting.

However, when attempting to login with an LDAP user on this machine, all I get after typing the password is the following error :

Permission denied, please try again.

When looking into the LDAP server logs, there are the following lines :

Nov 27 16:50:23 slapd[22838]: conn=7291 fd=34 ACCEPT from IP=193.51.99.18:40034 (IP=0.0.0.0:389)
Nov 27 16:50:23  slapd[22838]: conn=7291 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Nov 27 16:50:23  slapd[22838]: conn=7291 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Nov 27 16:50:23  slapd[22838]: conn=7291 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 27 16:50:23  slapd[22838]: get_filter: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: get_ssa: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: get_ssa: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: get_ssa: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: get_ssa: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: get_ssa: conn 7291 unknown attribute type=sudoHost (17)
Nov 27 16:50:23  slapd[22838]: conn=7291 op=1 SRCH base="dc=[...]" scope=2 deref=0 filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=
*))(cn=defaults))(?sudoHost=ALL)(?sudoHost=[...])(?sudoHost=[...])(?sudoHost=10.0.0.254)(?sudoHost=10.0.0.0/24)(?sudoH
ost=10.75.1.18)(?sudoHost=10.75.1.0/25)(?sudoHost=193.51.99.18)(?sudoHost=193.51.99.0/24)(?sudoHost=10.0.1.254)(?sudoHost=10.0.1.0/24)(?sud
oHost=192.168.122.1)(?sudoHost=192.168.122.0/24)(?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
Nov 27 16:50:23 slapd[22838]: conn=7291 op=1 SRCH attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunA
s sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp
Nov 27 16:50:23 slapd[22838]: conn=7291 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=

From what I can understand, the server doesn't understand some attributes the client is looking for, but I'm not sure, and I didn't find any information concerning this kind of error.

Does anyone know what could be the issue here ? Thanks !

Answer 1

sssd does not support LDAP authentication over unencrypted connections.

From sssd-ldap(5) man page:

If you want to authenticate against an LDAP server either TLS/SSL or LDAPS is required. sssd does not support authentication over an unencrypted channel. If the LDAP server is used only as an identity provider, an encrypted channel is not needed. Please refer to “ldap_access_filter” config option for more information about using LDAP as an access provider.