https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |rhafer@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c2 --- Comment #2 from David Sterba 2012-08-17 16:13:24 CEST --- Do I have to use SSSD ? A dalog says that "You can disable SSSD in yast2 ldap-client module" but I don't see how in the dialogs. yast2-ldap-client-2.22.8-2.1.2.noarch -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c4 Frank Gore changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gore@projectpontiac.com --- Comment #4 from Frank Gore 2012-09-11 22:09:14 UTC --- So what's a workaround right now? Because this bug is completely preventing me from using opensuse 12.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c6 --- Comment #6 from Ralf Haferkamp 2012-09-12 12:21:08 CEST --- (In reply to comment #4)

So what's a workaround right now? Because this bug is completely preventing me from using opensuse 12.2 Use nss_ldap and configure it manually.

Additionally there is the undocumented "ldap_auth_disable_tls_never_use_in_production" option for sssd, Add that do your [domain/default] section in sssd.conf. Note: That option is only meant for debugging purposes and if you know what you are doing. That's why we are not offering it in the UI and why upstream decided to hide it from the man pages. If you don't agree with that, feel free to bring up that topic on the sssd mailinglists. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c8 Andreas Vetter changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |asvetter@cip.physik.uni-wue | |rzburg.de --- Comment #8 from Andreas Vetter 2012-09-12 11:16:59 UTC --- (In reply to comment #7)

I also see that the Online Help is still suggesting that sssd can be switched off. We should fix that in the online help.

The Online Help also does not explain, what is expected in the Popup Window, that appears after clicking on SSL/TLS Configuration. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c10 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |rhafer@suse.com --- Comment #10 from Jiří Suchomel 2012-09-19 09:07:21 UTC --- Ralf, one think is removing that ""You can disable SSSD..." dialog, that's on me. But I guess during upgrade to 12.2, PAM configuration should be correctly updated to work as it used before. This is the nss/pam part, which is for you, I guess. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c12 --- Comment #12 from Bernhard Wiedemann 2012-09-20 17:00:07 CEST --- This is an autogenerated message for OBS integration: This bug (775167) was mentioned in https://build.opensuse.org/request/show/135160 Factory / yast2-kerberos-client -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c14 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|rhafer@suse.com | --- Comment #14 from Jiří Suchomel 2012-09-21 06:00:01 UTC --- Well, the reson this is the 'hard way' is that it is not supported scenario. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c16 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |voyager_sat@hotmail.com --- Comment #16 from Jiří Suchomel 2012-09-24 11:13:28 UTC --- What do you want to wait for? We've already stated, that SSSD is the default option now. You don't have to use it, but than you have to configure your LDAP without YaST. And because SSSD uses SSL/TLS, there's no point in the off switch. So what would you want? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c18 --- Comment #18 from Frank Gore 2012-09-24 18:26:59 UTC --- It's worth noting that this new behavior breaks compatibility with the default SLES LDAP settings. Yes, it's possible to setup TLS on SLES, but it's not enabled by default on installation. There are many network environments where LDAP does not use (and does not need) TLS. Forcing it on users ensures that opensuse 12.2 will not be used in those environments. Most other distributions have gone in the same direction, making TLS the default (and practically mandatory) in the latest releases. If opensuse were to retain the old behavior of allowing TLS to be disabled on the client, then it would be one of the only distros to offer that option, which would be a positive difference. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

(In reply to comment #17)

...

Moreover, sssd do provide the possibility not to start a SSL/TLS communication by only setting the ldap_id_use_start_tls parameter to False. A check box would not arm the default behavior, it would only ease the process of installing openSuSE.

Ralf, do you think it would make sense to add a checkbox covering the value of ldap_id_use_start_tls?

Or would it be too misleading for other users? ldap_id_use_start_tls is only valid for the identiy_provider of sssd. (The part

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c20 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|rhafer@suse.com | --- Comment #20 from Ralf Haferkamp 2012-09-25 16:59:51 CEST --- (In reply to comment #19) that resolves user- and groupnames). So when you use ldap for the id provider and kerberos for the auth provider such a setting might make sense. But when you want to use the ldap for authentication is still demands to use SSL/TLS for the auth-provider part. So if we'd add such a checkbox we should make sure to document that fact properly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c22 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P4 - Low |P3 - Medium AssignedTo|ke@suse.com |jsuchome@suse.com Severity|Critical |Normal --- Comment #22 from Jiří Suchomel 2012-09-27 10:06:52 UTC --- (In reply to comment #20)

ldap_id_use_start_tls is only valid for the identiy_provider of sssd. (The part that resolves user- and groupnames). So when you use ldap for the id provider and kerberos for the auth provider such a setting might make sense.

But when you want to use the ldap for authentication is still demands to use SSL/TLS for the auth-provider part.

So if we'd add such a checkbox we should make sure to document that fact properly.

OK, back to me. Such checkbox makes sense. It needs to be documented properly, of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c24 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |rhafer@suse.com --- Comment #24 from Jiří Suchomel 2012-10-05 13:44:38 UTC --- Ralf, I am not sure how to manage those 2 values. Now, I can read and write "ssl" value from /etc/ldap.conf and "ldap_id_use_start_tls" from sssd.conf User is not able to edit "ssl" value from YaST, and it should probably stay, with out usage of SSSD as default. Until now, I'm writing ldap_id_use_start_tls as true iff ssl == "start_tls", which means true by default, because I set ssl to start_tls by default. However, according to man sssd-ldap, ldap_id_use_start_tls should be false by default. So what should we do? Offer both checkboxes, for ssl and ldap_id_use_start_tls? Or just for ldap_id_use_start_tls (comment 23), but how should I decide the value of ssl than? Could I safely use "start_tls" default, regardless the value of ldap_id_use_start_tls? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c26 Ralf Haferkamp changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|rhafer@suse.com | --- Comment #26 from Ralf Haferkamp 2012-10-08 12:33:32 CEST --- (In reply to comment #24)

User is not able to edit "ssl" value from YaST, and it should probably stay, with out usage of SSSD as default. I am not really able to parse this sentence. Could you explain in more detail what you mean by this please?

Until now, I'm writing ldap_id_use_start_tls as true iff ssl == "start_tls", which means true by default, because I set ssl to start_tls by default.

However, according to man sssd-ldap, ldap_id_use_start_tls should be false by default.

So what should we do? Offer both checkboxes, for ssl and ldap_id_use_start_tls? No.

Or just for ldap_id_use_start_tls (comment 23), but how should I decide the value of ssl than? I'd say the checkbox should update both values "ldap_id_use_start_tls" in sssd.conf and "ssl" in ldap.conf.

Could I safely use "start_tls" default, regardless the value of ldap_id_use_start_tls? Not sure what you mean by this.

(In reply to comment #25)

And additionally, which value (ldap_id_use_start_tls vs ssl == start_tls) should I use in various connection to LDAP server from YaST module? Probably it's a good idea to always try with TLS unless sssd is being configured to use krb5 authentication. Reason: As long as "chpass_provider" and/or "auth_provider" are set to "ldap" in sssd.conf sssd requires a working TLS/SSL setup. Trying to use TLS for YaST is I guess the easiest way to verify that it actually works.

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c28 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |voyager_sat@hotmail.com --- Comment #28 from Jiří Suchomel 2012-10-08 11:19:07 UTC --- Could you please test new yast2-ldap-client package from? https://build.opensuse.org/package/binaries?package=yast2-ldap-client&project=home%3Ajsuchome&repository=openSUSE_12.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c30 --- Comment #30 from Jiří Suchomel 2012-10-09 07:25:37 UTC --- (In reply to comment #29)

(In reply to comment #28)

...

Could you please test new yast2-ldap-client package from?

https://build.opensuse.org/package/binaries?package=yast2-ldap-client&project=home%3Ajsuchome&repository=openSUSE_12.2

tried it but again tls is not disabled .

Could you describe what have you tested? I installed yast2-ldap-client-2.23.0-1.1.noarch.rpm, started LDAP client, checked Kerberos support, unchecked TLS usage (comment 23) and ended with configuration which has "ssl" value in /etc/ldap.conf set to "no" and "ldap_id_use_start_tls" from sssd.conf set to "False" Isn't this what you wanted? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c32 David Westfall changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |david.westfall@red-inc.us --- Comment #32 from David Westfall 2012-10-19 13:21:33 UTC --- I just created a bug because I can not connect my 12.2 computers to my LDAP server because the "Naming Contexts" Maps is not in LDAP Advance menu. On 12.1 the Maps returned when you turned off SSSD. The option to turn off SSSD is missing in the GUI. https://bugzilla.novell.com/show_bug.cgi?id=785865 Dave W -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c34 --- Comment #34 from Jiří Suchomel 2012-10-19 13:43:43 UTC --- This is actually the same bug. 1. SSSD was made the only option in 12.2. But if you are using Kerberos for authentication, TLS does not have to be started - see comment 20. That's why there's a package for testing (comment 28), with new checkbox in SSL/TLS popup. Wait until it rebuilds and try it. 2. "Also the Use LDAP but disable logins option is no longer in the main menu." It is there, but now as a "Disable Users Logins" check box. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c36 --- Comment #36 from Jiří Suchomel 2012-10-23 06:36:30 UTC --- David: GUI is cleaner when we support only one method of configuration. In next step, I expect that also the bellow blocks (nss itself) will be replaced by sssd, so GUI us just beginning. Dimitrios, could you answer my questions from comment 30? Now I do not see if my changes were enough for you.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c38 --- Comment #38 from Jiří Suchomel 2012-10-23 07:08:08 UTC --- (In reply to comment #37)

the ldap client can not create the default objects on ldap server because of the tls option (the message pops up about the tls)

So you did uncheck "Use TLS for Identity Resolve" before creating those objects, right? If so, do you have y2logs? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c40 --- Comment #40 from Boris Neubert 2012-10-23 09:27:29 UTC --- (In reply to comment #36) Jiri, I was referred here from a duplicate of this issue. I admit that I have lost the thread. Our LDAP server runs on openWRT without even the opportunity to use SSL/TLS, at least not without going through some lengths. Apart from that we do not it anyway. My question is whether in the end the changes will enable us to use LDAP for user authorization without SSL/TLS as it was on 12.1. Thanks in advance for letting me know. Boris -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c42 --- Comment #42 from Jiří Suchomel 2012-10-23 11:34:19 UTC --- (In reply to comment #41)

Workaround

Uninstall yast2-ldap-client Install yast2-ldap-client from 12.1 update repo.

Could you actually try what I proposed in comment 34? There's a new package available for 12.2... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c45 --- Comment #45 from Jiří Suchomel 2012-10-23 12:47:37 UTC --- (In reply to comment #44)

It does not have the option to turn off SSSD and switch to the NSS maps like I asked about in the bug that I created. But someone said that my bug was duplicate of this bug.

No, it does not have option to switch to the NSS maps. We do not support it via GUI now, because we only support SSSD. I think it is a duplicate in a sense "LDAP configuration GUI changed, give me back the old one". We're not going back to NSS. We are able to help with TLS requirement by SSSD, this is specificaly what this bug is about. Sorry, I did not recognized this is not your problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

Where is the documentation in SDB for SSSD. Why should there? sssd provides excellent documentation already in its man

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c47 --- Comment #47 from Ralf Haferkamp 2012-10-23 16:36:15 CEST --- (In reply to comment #46) pages. sssd(8) and sssd.conf(5) for general sssd documentation and sssd-ldap(5) for docs specific to the LDAP backend. [..]

Even with SSSD you need to be able to split your different account types to different branches and limit searches to one level vice an entire three or branch. It does, see the sssd-ldap man page. (No, you can't edit those settings via the YaST module currently, but I think it will also not touch/delete them when you add them manually.)

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=775167 https://bugzilla.novell.com/show_bug.cgi?id=775167#c49 --- Comment #49 from David Sterba 2012-11-01 23:35:24 CET --- (In reply to comment #28)

Could you please test new yast2-ldap-client package from?

https://build.opensuse.org/package/binaries?package=yast2-ldap-client&project=home%3Ajsuchome&repository=openSUSE_12.2

FWIW, I've installed the packages, rerun yast ldap cliet config, and it works as expected. Thanks! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.