LDAP authentication

We finally got our hard copy of Leap 42.1 delivered two weeks ago and I am planning to update a
workstation which does not play nice with 13.2 installed.

This brought me back to the problem of authenticating users through LDAP.
With legacy workstations running OS 11.4 I did not implement SSL/TLS encryption
when I updated the server to OS 13.2.

Now I’m trying to use the Yast Authentication Client module in Leap 42.1 to set up LDAP authentication.
Following the steps described here https://forums.opensuse.org/showthread.php/502305-Setting-up-LDAP-on-13-2/page2
(post #6) and a su from the local root account works as intended.

If I try to do the same from the account of a common user I get


su: Authentifizierungsdienst kann Authentifizierungsinformationen nicht abrufen

(or in english: authenticatiion service cant retrieve authentication information)
Is there a permission problem somewhere I’m not aware of? (I did set the comuter type to “roaming device” in Yast Security Center and Hardening)

Any ideas?

On Wed, 25 Nov 2015 16:56:04 +0000, Aquinox wrote:

> Any ideas?

Another user had reported a similar issue, but I think indicated an
update resolved that issue - are you fully updated?

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks for the info and no I did not update the system beforehand.

Alas, after updating it the problem persists!
After a failed su from a local unprivileged user to an LDAP user I checked the output of “systemctl status sssd.service”


solid06:/etc/sssd # systemctl status sssd.service
...
Nov 27 14:05:37 solid06 sssd[be[1989]: Could not start TLS encryption. unsupported extended operation

So it seems that sssd tries to connect to the ldap server using tls (which is the default for sssd) but fails because the server
is not set up for that.

I’d like to circumvent the default requirement for TLS.

My previous workaround for OS 12.3-13.2 seems to work fine but requires quite a bit of editing
and I’d like to have a “point-and-click-adventure” to make it easier for whomever is going to be my successor as a part-time sysadmin.

Sorry, I could not Understand your Question Properly.

Should I understand that your server has 11.4 and there is no tls configured?
or Should I understand that your server has 42.1 and TLS is configured, But you do not want each client to have TLS certification?

By the way, irrespective of TLS configuration at server, OpenSuSE leap (client) as such is not strict on tls

Just select ldap_tls_reqcert as never in Authentication client. You can use w/o the worry of Certificate…:wink:

The server is running OS 13.2.
It is a fresh install (2 mo old now), but we have clients which still run OS 11.4 and which I did not and will not update due to lack of time.
So I took the configuration and the LDAP DB from our old server (that one was running OS 11.4) and transferred it to the new one.
Meaning that on the OS 13.2 server I do not have TLS/SSL set up. (neither on any client)

The “Authentication Client” Module in Yast presents, when setting up a domain authentication, the option ldap_tls_reqcert
by default as “allow” and I did set it to “never” before starting this thread.
Apparently (c.f. the systemd message above) this does not disable TLS.

I thought at first that this was a local problem of the client, because with the basic set-up through Yast Authentication Client
I can switch to a user in the LDAP DB from the root account but not from an unprivileged account.
Alas I was not able to discover where the error is, so I’ve turned here for help.

Could you please please upload /etc/sssd/sssd. Conf here… Also could you pls inform which OS you have installed in client. In Yast Authentication client got introduced from 13.2 onwards… Until then we had only LDAP client module…

Could you please upload /etc/sssd/sssd. Conf here…

Also pls confirm whether other clients running on 11.4 work fine with 13.2 server w/o tls…

Anyone know if 42.1 LDAP Client Workstations are backwards compatible with an LDAP 13.2 Server?

Server is 13.2, as are most Workstations, and all works fine. I’ve tried to upgrade two workstations to 42.1 but both have same error. Originally the sessions were unstable, but now, presumably since a file update, neither manage to even get to loading the session, using either KDE Plasma or Plasma 5. Only option is to run in IceWM, which is obviously very limited.

If I run these two upgrades as root, rather than an LDAP client, all works perfectly OK.

On Mon, 30 Nov 2015 12:46:01 +0000, YeboElectronics wrote:

> Anyone know if 42.1 LDAP Client Workstations are backwards compatible
> with an LDAP 13.2 Server?

Should be, but you should ask your question in a separate thread, as it’s
not really related to the OP in this thread’s question.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

This sounds like a permission’s problem. Could you check the owner of the files you are dealing with? is ‘ldap’ the owner or ‘root’ ?

Hi, It took 2 days to simulate the condition. But I think result is very encouraging.

The issue discussed above is both with LDAP server as well as client.

OpenSuSE 13.1 onwards, login is done with sssd. Whether or not you use client certificate, LDAP server should support “LDAP over SSL (ldaps)”.

To confirm this I did following trial.

I created 2 LDAP servers one supporting “LDAP & LDAP over SSL (ldaps)”, the Other with LDAP only (no LDAP over SSL)
I also created a client to check which one work well

Following was my system set up

M/C Name OS Version Role M/C Type
server.MyCompany.int Leap 42.1 LDAP & LDAP over SSL (ldaps) Virtual Machine
server1.MyCompany.int 13.2 LDAP only Virtual Machine
client.MyCompany.int Leap 42.1 Common Client Virtual Machine

Following was Result

Case Server Condition With Self Client Condition with Client (client.MyCompany.int)
1 server.MyCompany.int Works Works
2 server1.MyCompany.int Error Error

Later When I Changed server1.MyCompany.int into “LDAP & LDAP over SSL (ldaps)”

Case Server Condition With Self Client Condition with Client (client.MyCompany.int)
1 server.MyCompany.int Works Works
2 server1.MyCompany.int Works Works

**Inference : **
From the above, we can arrive to 3 conclusions

  1. OpenSuSE 13.1 onwars use sssd for Authentication. SSSD will communicate with LDAP only through “LDAP over SSL (ldaps)”
  2. Older Systems like 11.4 or Linux Mint etc as clients do not use SSSD for Login. But LDAP server configured as “LDAP & LDAP over SSL (ldaps)” will serve both Older Systems and New Systems
  3. There is no issue of compatibility with the Open SuSE versions.

Any way, As you are using Open SUSE 13.2 for your server. Enable both “LDAP & LDAP over SSL (ldaps)”. Things should work well…:wink:

Regards
Shrivathsa

Also, as against your worry … You need not setup certificate for every client. Just create a certificate in LDAP server, give the path of certificate while configuring “LDAP over ssl” .

In client side just add a parameter “ldap_tls_reqcert =never” in authentication client module. This parameter avoids need of having certificates in each and every client.
For older clients no need of such steps. Hence will work without any problems.