From Fedora Project Wiki
(Initial draft) |
m (Update SSSD project's link) |
||
(2 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
{{draft}} | {{draft}} | ||
This page provides a few steps to self-diagnose problems encountered when using SSSD. For additional information on using SSSD, see https:// | This page provides a few steps to self-diagnose problems encountered when using SSSD. For additional information on using SSSD, see https://sssd.io. | ||
# Using the {{command|ping}} command, confirm you can you can contact the servers used when configuring SSSD. | # Using the {{command|ping}} command, confirm you can you can contact the servers used when configuring SSSD. | ||
Line 8: | Line 8: | ||
## The directory {{filename|/etc/openldap/cacerts}} contains the certificate | ## The directory {{filename|/etc/openldap/cacerts}} contains the certificate | ||
## The directory {{filename|/etc/openldap/cacerts}} contains a hash symlink to the certificate | ## The directory {{filename|/etc/openldap/cacerts}} contains a hash symlink to the certificate | ||
# Enable SSSD debugging output | # Enable SSSD debugging output | ||
# | ## Setting <code>debug_level = 5</code> in {{filename|/etc/sssd/sssd.conf}}. | ||
# | ## Next, restart SSSD by typing {{command|service sssd restart}} | ||
## Finally, inspect the SSSD log files for any clues {{filename|/var/log/sssd/*}} | |||
# Verify that the services work when not called by SSSD. | # Verify that the services work when not called by SSSD. | ||
#* For example, using a LDAP server IP of ''10.1.0.7'' and a base of ''dc=hurr,dc=org'', you could search using a simple anonymous bind and with ''mandatory'' TLS to confirm LDAP server connectivity using {{command|ldapsearch}}. | #* For example, using a LDAP server IP of ''10.1.0.7'' and a base of ''dc=hurr,dc=org'', you could search using a simple anonymous bind and with ''mandatory'' TLS to confirm LDAP server connectivity using {{command|ldapsearch}}. | ||
#*: <pre> | #*: <pre>ldapsearch -x -ZZ -H ldap://10.1.0.7 -b dc=hurr,dc=org</pre> | ||
#* Using the same information, now try communicating ''without'' TLS | #* Using the same information, now try communicating ''without'' TLS | ||
#*: <pre> | #*: <pre>ldapsearch -x -H ldap://10.1.0.7 -b dc=hurr,dc=org</pre> | ||
[[Category:Debugging|S]] [[Category:How to]] | [[Category:Debugging|S]] [[Category:How to]] |
Latest revision as of 20:43, 31 August 2024
This page provides a few steps to self-diagnose problems encountered when using SSSD. For additional information on using SSSD, see https://sssd.io.
- Using the
ping
command, confirm you can you can contact the servers used when configuring SSSD. - Inspect the system logs
/var/log/secure
and/var/log/messages
for suspicious log messages - If using TLS, verify that ...
- The directory
/etc/openldap/cacerts
contains the certificate - The directory
/etc/openldap/cacerts
contains a hash symlink to the certificate
- The directory
- Enable SSSD debugging output
- Setting
debug_level = 5
in/etc/sssd/sssd.conf
. - Next, restart SSSD by typing
service sssd restart
- Finally, inspect the SSSD log files for any clues
/var/log/sssd/*
- Setting
- Verify that the services work when not called by SSSD.
- For example, using a LDAP server IP of 10.1.0.7 and a base of dc=hurr,dc=org, you could search using a simple anonymous bind and with mandatory TLS to confirm LDAP server connectivity using
ldapsearch
.ldapsearch -x -ZZ -H ldap://10.1.0.7 -b dc=hurr,dc=org
- Using the same information, now try communicating without TLS
ldapsearch -x -H ldap://10.1.0.7 -b dc=hurr,dc=org
- For example, using a LDAP server IP of 10.1.0.7 and a base of dc=hurr,dc=org, you could search using a simple anonymous bind and with mandatory TLS to confirm LDAP server connectivity using