On Nov 1, 2022, at 2:54 PM, Quanah Gibson-Mount
<quanah(a)fast-mail.org> wrote:
--On Tuesday, November 1, 2022 7:16 PM +0000 jarett(a)bioteam.net wrote:
> Hi,
>
> I am attempting to have SSSD do logins to my OpenLDAP 2.6.3 installation,
> however, I get "permission denied" when trying to log in because SSSD is
> asking for a password policy, which the server does not appear to have by
> default. Notably, we don't really care what "policy" the server will
> claim to have, because password authentication is delegated via SASL to
> another server which ensures strong passwords. So I just need something
> that will "get past" whatever checks SSSD is doing. What LDIF config can
> I add to my configuration to allow SSSD to let users log in properly?
You could simply load the ppolicy overlay in you configuration so that the control is
available, regardless of whether you intend to use it.
How is this done? In the LTB distribution there is a ppolicy ldif in the schema directory
of openldap/etc; no such file exists for "vanilla" OpenLDAP and I'm not even
sure if it would be compatible.
The documentation describes the password policy overlay, but appears to be in conf format
rather than the ldifs we use now and there's no indication as to what sort of
"default" options would normally be associated with permitting a client to bind,
check passwords for login and allow or reject the login.
https://www.openldap.org/doc/admin26/overlays.html (section 12.10.2) I imagine there must
be a reference for this somewhere as it has to be one of the most common LDAP use cases?
However nothing in the log you provided shows there was any issue due to SSSD requesting
it.
The BIND operation was successful:
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=1 RESULT tag=97 err=0
qtime=0.000028 etime=0.000136 text=
The SEARCH operation was successful:
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SEARCH RESULT tag=101 err=0
qtime=0.000016 etime=0.000326 nentries=0 text=
The biggest issue seems to be that it is configured to send invalid search filters,
causing ZERO results to be returned (nentries=0 above):
ov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH
base="ou=users,dc=clab,dc=lab" scope=2 deref=0
filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=*))(cn=de>
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH attr=objectClass
objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser
sudoRunAs>
Note that "sudoRole" objectClass, "sudoHost" attribute is not found.
Note that "cn=de>" is not a valid filter.
Those were just truncated lines. Here is another example without the truncation:
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 fd=14 ACCEPT from
IP=10.8.8.202:35250 (IP=0.0.0.0:389)
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SRCH attr=* altServer
namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN
highestCommittedUSN
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SEARCH RESULT tag=101 err=0
qtime=0.000018 etime=0.000221 nentries=1 text=
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 BIND
dn="cn=admin,dc=clab,dc=lab" method=128
Nov 02 06:40:46 ldapserver00 slapd[109046]: slap_global_control: unrecognized control:
1.3.6.1.4.1.42.2.27.8.5.1
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 BIND
dn="cn=admin,dc=clab,dc=lab" mech=SIMPLE bind_ssf=0 ssf=0
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 RESULT tag=97 err=0
qtime=0.000018 etime=0.000106 text=
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=2 UNBIND
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 fd=14 closed
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 fd=14 ACCEPT from
IP=10.8.8.202:35260 (IP=0.0.0.0:389)
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SRCH attr=* altServer
namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion
supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN
highestCommittedUSN
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SEARCH RESULT tag=101 err=0
qtime=0.000016 etime=0.000145 nentries=1 text=
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 BIND
dn="cn=admin,dc=clab,dc=lab" method=128
Nov 02 06:40:46 ldapserver00 slapd[109046]: slap_global_control: unrecognized control:
1.3.6.1.4.1.42.2.27.8.5.1
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 BIND
dn="cn=admin,dc=clab,dc=lab" mech=SIMPLE bind_ssf=0 ssf=0
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 RESULT tag=97 err=0
qtime=0.000018 etime=0.000092 text=
Nov 02 06:40:46 ldapserver00 slapd[109046]: get_filter: conn 1006 unknown attribute
type=sudoHost (17)
Nov 02 06:40:46 ldapserver00 slapd[109046]: get_ssa: conn 1006 unknown attribute
type=sudoHost (17)
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SRCH
base="ou=users,dc=clab,dc=lab" scope=2 deref=0
filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=*))(cn=defaults))(?sudoHost=ALL)(?sudoHost=ldapclient)(?sudoHost=ldapclient)(?sudoHost=10.8.8.202)(?sudoHost=10.8.8.0/24)(?sudoHost=fe80::f9:c8ff:fe92:990d)(?sudoHost=fe80::/64)(?sudoHost=+*)))"
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SRCH attr=objectClass
objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser
sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp
Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SEARCH RESULT tag=101 err=0
qtime=0.000018 etime=0.000227 nentries=0 text=
Nov 02 06:42:03 ldapserver00 slapd[109046]: conn=1006 op=3 UNBIND
Nov 02 06:42:03 ldapserver00 slapd[109046]: conn=1006 fd=14 closed
root@ldapserver00:/tmp#
I note in the SSSD documentation it says it will not perform authentication binds in
cleartext. I think(?) I am running the server with SSL but not START-TLS.
Jarett T. DeAngelis, MS
Scientific Systems Engineer
Email: jarett(a)bioteam.net <mailto:jarett@bioteam.net>
M: +1.646.417.2165
bioteam.net <
https://www.bioteam.net/>