sssd Can’t Contact LDAP Server

sssd Can’t Contact LDAP Server

https://access.redhat.com/solutions/506233

Solution Verified - Updated August 6 2024 at 4:59 AM - English Environment

Red Hat Enterprise Linux 6.4
SSSD 1.9

Issue

We are currently trying to deploy SSSD for our ldap connectivity using tls/ssl. Everything used to work fine with nss_ldap as well as openldap tools (ldapsearch...) and pam_ldap for authentication. But with SSSD we have the following error message in sssd_LDAP.log :

Raw

[sssd[be[LDAP]]] [fo_resolve_service_send] (0x0100): Trying to resolve service ‘LDAP’ [sssd[be[LDAP]]] [resolv_gethostbyname_files_send] (0x0100): Trying to resolve A record of ‘server123’ in files [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server ‘server123’ as ‘resolving name’ [sssd[be[LDAP]]] [set_server_common_status] (0x0100): Marking server ‘server123’ as ‘name resolved’ [sssd[be[LDAP]]] [be_resolve_server_process] (0x0200): Found address for server server123: [9.2.65.10] TTL 7200 [sssd[be[LDAP]]] [sdap_uri_callback] (0x0400): Constructed uri ‘ldaps://server123:1636’ [sssd[be[LDAP]]] [sss_ldap_init_send] (0x0400): Setting 6 seconds timeout for connecting [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(objectclass=*)][]. [sssd[be[LDAP]]] [sdap_process_result] (0x0040): ldap_result error: [Can’t contact LDAP server] [sssd[be[LDAP]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server! [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): Will use modification timestamp as usn! [sssd[be[LDAP]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 [sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: cn=user,ou=linux,dc=example,dc=com [sssd[be[LDAP]]] [simple_bind_send] (0x0020): ldap_bind failed (-1)[Can’t contact LDAP server] [sssd[be[LDAP]]] [fo_set_port_status] (0x0100): Marking port 1636 of server ‘server123’ as ‘not working’

Higher debug level does not bring more information. We have tried to switch "ldap_tls_reqcert" parameter to 'never' to bypass any potential certificate issue without any improvement.

Here is the domain entry from sssd.conf: Raw

[domain/LDAP] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://server123:1636 ldap_search_base = ou=lnix,dc=example,dc=com ldap_default_bind_dn = cn=user,ou=linux,dc=example,dc=com ldap_default_authtok = xxxx ldap_tls_cacert = /etc/openldap/cacerts/server123_rootca.pem enumerate = true ldap_referrals = false ldap_schema = rfc2307 debug_level = 6 ldap_tls_reqcert = never

Using this openldap configuration file, the following ldapsearch works fine and returns results correctly as expected :

Raw

ldapsearch -x -D “cn=user,ou=linux,dc=example,dc=com” -w xxxxxx -b “ou=lnix,dc=example,dc=com” objectclass=*

Resolution

The error(sdap_get_generic_ext_recv failed [5]: Input/output error) could occur due to multiple issues, make sure the ldap server responds to ldapsearch command, also make sure the ldap server allows querying RootDSE anonymously. Root Cause

In this case, the LDAP server did not handle RootDSE query correctly, it closed the connection (RST) instead of a responding to RootDSE query.

Here is the flow observed from network capture.

• Completes 3 way handshake,
• SSSD tries to get the RootDSE entry from Directory Sever (searchRequest(1) “” baseObject )
• The above is done as anonymous (It is expected that all directory servers respond to the RootDSE anonymous queries).
• SSSD gets a FIN (Closure from Directory Server) instead of search response.

• SSSD sends abandon request and closes the connection from it’s end as well. Diagnostic Steps

  Collect SSSD logs with higher debug_level Take a network capture during the issue and check what’s going on.