SLES12 SSSD -->Port status of port 636 for server 'bomaster.

SUSE Linux Enterprise Server SLES Configure-Administer
1

Hello,

we try to use SSSD to auth users that are connect thru ssh.
OpenSSL using TLS cacert. The cert was testet with open_ssl s_client with OK !
The Ldap Server is an EDirectory. Listening on Port 636. Nmap output → 636/tcp open ldapssl

We are receivong follogin error:
/varl/log/sssd/sssd_bomaster.log
---->Port status of port 636 for server ‘bomaster.gkdruhr.de’ is ‘not working’

Could anyone help with some suggestions ?

Thanks !!

SSSD.conf

[domain/bomaster]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://bomaster.gkdruhr.de:636
ldap_search_base = cn=LDAP-Users-bosyslog01,ou=18,ou=4,ou=city,o=bo
ldap_tls_cacert = /etc/openldap/cacerts/bo-root.pem

posixAccount is default vakue

ldap_user_object_class = posixAccount
debug_level = 9

______________________________________________________________________________________________________________-
SSSD error output

(Mon Dec 1 12:10:25 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1ba1330
(Mon Dec 1 12:10:25 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:25 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1baed60
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=gkd0117]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_req_set_domain] (0x0400): Changing request domain from [bomaster] to [bomaster]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_id_op_connect_step] (0x4000): beginning to connect
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘LDAP’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_server_status] (0x1000): Status of server ‘bomaster.gkdruhr.de’ is ‘name resolved’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_port_status] (0x1000): Port status of port 636 for server ‘bomaster.gkdruhr.de’ is ‘not working’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_port_status] (0x0100): Reseting the status of port 636 for server ‘bomaster.gkdruhr.de
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_resolve_service_activate_timeout] (0x2000): Resolve timeout set to 6 seconds
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_server_status] (0x1000): Status of server ‘bomaster.gkdruhr.de’ is ‘name resolved’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_resolve_server_process] (0x1000): Saving the first resolved server
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_resolve_server_process] (0x0200): Found address for server bomaster.gkdruhr.de: [10.115.100.18] TTL 86400
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sss_ldap_init_send] (0x4000): Using file descriptor [20] for LDAP connection.
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sss_ldap_init_sys_connect_done] (0x0020): ldap_install_tls failed: Connect error
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_sys_connect_done] (0x0020): sdap_async_connect_call request failed.
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_handle_release] (0x2000): Trace: sh[0x1bba710], connected[0], ops[(nil)], ldap[(nil)], destructor_lock[0], release_memory[0]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_set_port_status] (0x0100): Marking port 636 of server ‘bomaster.gkdruhr.de’ as ‘not working’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_set_port_status] (0x0400): Marking port 636 of duplicate server ‘bomaster.gkdruhr.de’ as ‘not working’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘LDAP’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_server_status] (0x1000): Status of server ‘bomaster.gkdruhr.de’ is ‘name resolved’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [get_port_status] (0x1000): Port status of port 636 for server ‘bomaster.gkdruhr.de’ is ‘not working’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [fo_resolve_service_send] (0x0020): No available servers for service ‘LDAP’
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_resolve_server_done] (0x1000): Server resolution failed: 5
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_mark_offline] (0x2000): Going offline!
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_run_offline_cb] (0x0080): Going offline. Running callbacks.
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_id_op_connect_done] (0x4000): notify offline to op #1
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sdap_id_release_conn_data] (0x4000): releasing unused connection
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1baed60
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=gkd0117]
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Mon Dec 1 12:10:26 2014) [sssd[be[bomaster]]] [be_req_set_domain] (0x0400): Changing request domain from [bomaster] to [bomaster]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1baed60
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=gkd0117]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [be_req_set_domain] (0x0400): Changing request domain from [bomaster] to [bomaster]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1bb1b70
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Got request for [3][1][name=gkd0117]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [be_req_set_domain] (0x0400): Changing request domain from [bomaster] to [bomaster]
(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [ldb] (0x4000): Added timed event “ltdb_callback”: 0x1be5460

(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [ldb] (0x4000): Added timed event “ltdb_timeout”: 0x1bdfed0

(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [ldb] (0x4000): Running timer event 0x1be5460 “ltdb_callback”

(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [ldb] (0x4000): Destroying timer event 0x1bdfed0 “ltdb_timeout”

(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [ldb] (0x4000): Ending timer event 0x1be5460 “ltdb_callback”

(Mon Dec 1 12:10:28 2014) [sssd[be[bomaster]]] [acctinfo_callback] (0x0100): Request processed. Returned 1,11,Offline
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1baed60
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [getAccountInfo]
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=gkd0117]
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
(Mon Dec 1 12:10:30 2014) [sssd[be[bomaster]]] [be_req_set_domain] (0x0400): Changing request domain from [bomaster] to [bomaster]
(Mon Dec 1 12:10:35 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): dbus conn: 0x1ba1330
(Mon Dec 1 12:10:35 2014) [sssd[be[bomaster]]] [sbus_dispatch] (0x4000): Dispatching.
(Mon Dec 1 12:10:35 2014) [sssd[be[bomaster]]] [sbus_message_handler] (0x4000): Received SBUS method [ping]

2

Wrong cert

*CLOSE

3

[QUOTE=tbrinkmann;25165]Wrong cert

*CLOSE[/QUOTE]

Hi,

Thanks for updating the thread.

Just to clarify: Do you mean you now have it working with the configuration you posted, it was just that you needed to do something different with the certificate you are using?

I’m curious as you mention having tested (using openssl) the certificate and it seemed ok.

Would be great if you could share some more info!

Thanks,
Willem

4

Hey Willem,

sorry for the late replay. The have multiple LDAP Servers (primary/secondery) the certificate was tagged with the servername.

So after I used the right server name with the right cert everything runs fine.

*T

5

… the location of the cert within the file system had no bearing on the issue as long as it was the right cert, obviously.

I am wondering if you meant and/or needed the daemon to make an SSL connection instead of letting it use TLS for both the ID and AUTH providers ?

ldap_uri = ldaps://bomaster.gkdruhr.de
ldap_tls_cacert = /etc/openldap/cacerts/bo-root.pem
ldap_id_use_start_tls = yes

Just wondering,

– lawrence