SLE 12 Ldap Authentication to clustered LDAP Server

SUSE Product Topics SLES Configure-Administer
1

Hi,

I need to setup LDAP Authentication to a SLE12 server. My LDAP server is a cluster-based OES 2 SP3 server.

Here’s my sssd.conf:

[domain/MyLDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307bis ldap_uri = ldap://ldap.mydomain ldap_default_base_dn = cn=LDAP,o=MyOrg ldap_search_base = o=MyOrg ldap_tls_cacert = /etc/sssd/certs/O=MyOrg,OU=OrganizationalCA.pem ldap_tls_cacertdir = /etc/sssd/certs debug_level = 20 case_sensitive = true create_homedir = true enumerate = true cache_credentials = false ldap_id_use_start_tls = true tls_reqcert = allow ldap_pwd_policy = none ldap_network_timeout = 3 access_provider = ldap ldap_access_filter = (|(groupMembership=cn=LDAPEnabledUsers,ou=Groups,o=MyOrg))

I have two OES 2 SP3 Servers (server1 and server2) working on a NCS Cluster. The FQDN “ldap.mydomain” points to the Cluster’s “Master IP Address”, so the active server will answer ldap requests.

This used to work on SLE10 and SLE11 (without TLS), but now I’m installing SLE12, I’m facing problems.

When I set up SSSD to use the neutral address, I got the error below:

sle12server sssd[be[MyLDAP]]: Could not start TLS encryption. TLS: hostname does not match CN in peer certificate

I understand that I’m getting this error because the active server isn’t presenting itself as “ldap.mydomain”, but “CN=server1,O=MyORG” (or “CN=server2,O=MyORG” if this is the active server). For instance, if I point “ldap_uri” to server1, authentication works; but what if server1 is offline?

So, I need help to make SSSD accept the server certificates, or maybe try to authenticate in both servers.

Can anyone help me?

2

Thanks you all that tried to help me. I found in the “sssd-ldap” that the “ldap_uri” parameter may receive a comma-separated list of LDAP servers. The solution was:

ldap_uri=ldaps://server1.mydomain,ldaps://server2.mydomain

Now I can progress to other tunnings like creation of home directory and server timeouts.

3

For this use case, and the LDAP ID and AUTH providers are being used, I would do the following to implement the functionality expressed.

Use the following directive to address the TLS errors due to the cert cn mismatches:

ldap_tls_reqcert = never

To accommodate the eventuality of a LDAP server being down the SSSD offline authentication capabilities can be used.

Set the following directive to true:

cache_credentials = true

If the LDAP server contacted was down or didn’t respond the SSSD would authenticate users from the it’s cache, provided the user has logged in before and is cached.

If the SSSD is used to cache users the Name Service Caching Daemon (nscd) should be disabled, or have user and group caching disabled, minimally.

– lawrence