SSSD 2.x in Enterprise Linux 8 appears to apply stricter checks to the base DN (ldap_search_base
). eDirectory has no actual 'root' to its tree, so it provides a pseudo object for applications that require a base DN: t=treename, e.g. t=my-domain
. This worked fine with SSSD 1.16 in EL7. However, it isn't a valid X.509 type and SSSD 2.x will fail to authenticate during initgroups if you use this as a search base; the error "Invalid DN Syntax(34)" will be logged when debugging is enabled (note also that debug_level must now be set in the [domain] section of sssd.conf, not [sssd]).
Fix is to leave out ldap_search_base altogether as eDirectory doesn't require it. You can set lower level DNs for ldap_user_search_base
and ldap_group_search_base
if available and standard (e.g. ou=Users,o=Organisation
).
(Documenting this because it cost me a week of headbanging.)