We finally got our hard copy of Leap 42.1 delivered two weeks ago and I am planning to update a
workstation which does not play nice with 13.2 installed.
This brought me back to the problem of authenticating users through LDAP.
With legacy workstations running OS 11.4 I did not implement SSL/TLS encryption
when I updated the server to OS 13.2.
If I try to do the same from the account of a common user I get
su: Authentifizierungsdienst kann Authentifizierungsinformationen nicht abrufen
(or in english: authenticatiion service cant retrieve authentication information)
Is there a permission problem somewhere I’m not aware of? (I did set the comuter type to “roaming device” in Yast Security Center and Hardening)
Thanks for the info and no I did not update the system beforehand.
Alas, after updating it the problem persists!
After a failed su from a local unprivileged user to an LDAP user I checked the output of “systemctl status sssd.service”
solid06:/etc/sssd # systemctl status sssd.service
...
Nov 27 14:05:37 solid06 sssd[be[1989]: Could not start TLS encryption. unsupported extended operation
So it seems that sssd tries to connect to the ldap server using tls (which is the default for sssd) but fails because the server
is not set up for that.
I’d like to circumvent the default requirement for TLS.
My previous workaround for OS 12.3-13.2 seems to work fine but requires quite a bit of editing
and I’d like to have a “point-and-click-adventure” to make it easier for whomever is going to be my successor as a part-time sysadmin.
Sorry, I could not Understand your Question Properly.
Should I understand that your server has 11.4 and there is no tls configured?
or Should I understand that your server has 42.1 and TLS is configured, But you do not want each client to have TLS certification?
By the way, irrespective of TLS configuration at server, OpenSuSE leap (client) as such is not strict on tls
Just select ldap_tls_reqcert as never in Authentication client. You can use w/o the worry of Certificate…
The server is running OS 13.2.
It is a fresh install (2 mo old now), but we have clients which still run OS 11.4 and which I did not and will not update due to lack of time.
So I took the configuration and the LDAP DB from our old server (that one was running OS 11.4) and transferred it to the new one.
Meaning that on the OS 13.2 server I do not have TLS/SSL set up. (neither on any client)
The “Authentication Client” Module in Yast presents, when setting up a domain authentication, the option ldap_tls_reqcert
by default as “allow” and I did set it to “never” before starting this thread.
Apparently (c.f. the systemd message above) this does not disable TLS.
I thought at first that this was a local problem of the client, because with the basic set-up through Yast Authentication Client
I can switch to a user in the LDAP DB from the root account but not from an unprivileged account.
Alas I was not able to discover where the error is, so I’ve turned here for help.
Could you please please upload /etc/sssd/sssd. Conf here… Also could you pls inform which OS you have installed in client. In Yast Authentication client got introduced from 13.2 onwards… Until then we had only LDAP client module…
Anyone know if 42.1 LDAP Client Workstations are backwards compatible with an LDAP 13.2 Server?
Server is 13.2, as are most Workstations, and all works fine. I’ve tried to upgrade two workstations to 42.1 but both have same error. Originally the sessions were unstable, but now, presumably since a file update, neither manage to even get to loading the session, using either KDE Plasma or Plasma 5. Only option is to run in IceWM, which is obviously very limited.
If I run these two upgrades as root, rather than an LDAP client, all works perfectly OK.
Hi, It took 2 days to simulate the condition. But I think result is very encouraging.
The issue discussed above is both with LDAP server as well as client.
OpenSuSE 13.1 onwards, login is done with sssd. Whether or not you use client certificate, LDAP server should support “LDAP over SSL (ldaps)”.
To confirm this I did following trial.
I created 2 LDAP servers one supporting “LDAP & LDAP over SSL (ldaps)”, the Other with LDAP only (no LDAP over SSL)
I also created a client to check which one work well
Following was my system set up
M/C Name
OS Version
Role
M/C Type
server.MyCompany.int
Leap 42.1
LDAP & LDAP over SSL (ldaps)
Virtual Machine
server1.MyCompany.int
13.2
LDAP only
Virtual Machine
client.MyCompany.int
Leap 42.1
Common Client
Virtual Machine
Following was Result
Case
Server
Condition With Self Client
Condition with Client (client.MyCompany.int)
1
server.MyCompany.int
Works
Works
2
server1.MyCompany.int
Error
Error
Later When I Changed server1.MyCompany.int into “LDAP & LDAP over SSL (ldaps)”
Case
Server
Condition With Self Client
Condition with Client (client.MyCompany.int)
1
server.MyCompany.int
Works
Works
2
server1.MyCompany.int
Works
Works
**Inference : **
From the above, we can arrive to 3 conclusions
OpenSuSE 13.1 onwars use sssd for Authentication. SSSD will communicate with LDAP only through “LDAP over SSL (ldaps)”
Older Systems like 11.4 or Linux Mint etc as clients do not use SSSD for Login. But LDAP server configured as “LDAP & LDAP over SSL (ldaps)” will serve both Older Systems and New Systems
There is no issue of compatibility with the Open SuSE versions.
Any way, As you are using Open SUSE 13.2 for your server. Enable both “LDAP & LDAP over SSL (ldaps)”. Things should work well…
Also, as against your worry … You need not setup certificate for every client. Just create a certificate in LDAP server, give the path of certificate while configuring “LDAP over ssl” .
In client side just add a parameter “ldap_tls_reqcert =never” in authentication client module. This parameter avoids need of having certificates in each and every client.
For older clients no need of such steps. Hence will work without any problems.