Re: Problem in user authentication with LDAP + SSSD

[Patrick Lists <openldap-list@puzzled.xs4all.nl>]

Hi Cristiane,

Here are some things I noticed.

On 02/18/2013 07:01 PM, Cristiane França wrote:
> Hi,
> I'm an authentication problem with my server CentOS 6.3, there are
> installer LDAP (openldap-2.4.23-26) and SSSD (sssd-1.8.0-32).
> The LDAP server is working fine but the integration between LDAP + SSSD
> has a problem because it can not authenticate the user on the server
>
> Can anyone help me identify the problem?
> I've revised all the configuration and found nothing wrong.
>
> ::::: slapd.conf :::::
>
> include/etc/openldap/schema/core.schema
> include/etc/openldap/schema/cosine.schema
> include/etc/openldap/schema/inetorgperson.schema
> include/etc/openldap/schema/nis.schema
> include/etc/openldap/schema/misc.schema
>
> allow bind_v2
> pidfile/var/run/openldap/slapd.pid
>
> TLSCACertificateFile /etc/openldap/cacert.pem
> TLSCertificateFile /etc/openldap/servercrt.pem
> TLSCertificateKeyFile /etc/openldap/serverkey.pem

Iirc the Red Hat/CentOS OpenLDAP RPM expects the certificates to be in 
/etc/openldap/certs.

> directory       /database/ldap

Iirc the Red Hat/CentOS OpenLDAP RPM expects the LDAP database to be in 
/var/lib/ldap.

> ldap_tls_cacertdir = /etc/openldap/cacerts

This location differs from the one configured at the top.

If you are using non-standard locations for various things then you may 
bump into SELinux AVCs. Have you checked /var/log/audit/audit.log to see 
if there are any SELinux issues? Does the problem still exist when you 
temporarily disable SELinux with setenforce 0?

Regards,
Patrick