Hi,

I searched the admins forum for "sssd" and nothing found. I am trying to authenticate my users against ldap to login to my application server through ssh. The new way of pam_ldap for RHEL6 or CentOS 6 is "The System Security Services Daemon" what a name !! shortly sssd

I wonder has anyone succeeded in setting up a working zimbra ldap + sssd. I followed this post to set up config files. Here are my config files:

# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss,pam
debug_level = 0xFFF0
enumerate = true
domains = mydomain
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news, nscd
[pam]
[domain/mydomain]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_id_use_start_tls = true
ldap_tls_reqcert = allow
ldap_uri = ldap://mail.mydomain.org.tr
ldap_search_base = ou=people,dc=mydomain,dc=org,dc=tr
ldap_default_bind_dn = uid=zimbra,cn=admins,cn=zimbra
ldap_default_authtok_type = password
ldap_default_authtok = zmldappassword
ldap_user_object_class = zimbraAccount

# cat /etc/nsswitch.conf
#
# /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss

hosts: files dns
...
...

I configured zimbra ldap to log debug messages the following message writes to log when running command #id zmtest on my app server console.

Jun 25 10:37:52 posta slapd[24785]: conn=1118 fd=18 ACCEPT from IP=192.168.55.38:42222 (IP=192.168.55.34:389)
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 STARTTLS
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=0 RESULT oid= err=0 text=
Jun 25 10:37:52 posta slapd[24785]: conn=1118 fd=18 TLS established tls_ssf=256 ssf=256
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 BIND dn="uid=zimbra,cn=admins,cn=zimbra" method=128
Jun 25 10:37:52 posta slapd[24785]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 BIND dn="uid=zimbra,cn=admins,cn=zimbra" mech=SIMPLE ssf=0
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=2 RESULT tag=97 err=0 text=
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SRCH base="ou=people,dc=mydomain,dc=org,dc=tr" scope=2 deref=0 filter="(&(uid=zmtest)(objectClass=zimbraAccount)) "
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host loginDisabled loginExpirationTime loginAllowedTimeMap
Jun 25 10:37:52 posta slapd[24785]: conn=1118 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=


sssd can query zimbra LDAP! Wow! But the output of #id zmtest is "No such user" Instead of some id representing LDAP user. Also "getent passwd zmtest" command returns nothing.

But ldapsearch from the console of app server returns attributes of use zmtest
#ldapsearch -ZZZ -x -h mail.mydomain.org.tr -D uid=zimbra,cn=admins,cn=zimbra -Lb ou=people,dc=mydomain,dc=org,dc=tr -w zmldappassword "(&(uid=zmtest)(objectClass=zimbraAccount))"
#
# LDAPv3
# base <ou=people,dc=mydomain,dc=org,dc=tr> with scope subtree
# filter: (&(uid=zmtest)(objectClass=zimbraAccount))
# requesting: ALL
#

# zmtest, people, mydomain.org.tr
dn: uid=zmtest,ou=people,dc=mydomain,dc=org,dc=tr
sn: Test
zimbraMailStatus: enabled
zimbraHideInGal: TRUE
zimbraAccountStatus: active
givenName: Zimbra
displayName: Zimbra Test
objectClass: inetOrgPerson
objectClass: zimbraAccount
objectClass: amavisAccount
zimbraId: fbe94f4b-0947-4562-8370-33c69dde38f6
zimbraCreateTimestamp: 20130625073304Z
zimbraCOSId: 0dcff573-b04f-40f7-95ec-e00705696ea2
zimbraMailHost: mail.mydomain.org.tr
zimbraMailTransport: lmtp:mail.mydomain.org.tr:7025
zimbraMailDeliveryAddress: zmtest@mydomain.org.tr
mail: zmtest@mydomain.org.tr
cn: Zimbra Test
uid: zmtest
userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
zimbraPasswordModifiedTime: 20130625073304Z

# search result

# numResponses: 2
# numEntries: 1



If you are still reading you might have experienced a similar LDAP integration case. Please comment.

Best regards