Troubleshooting SSSD LDAP Authentication: Fixing “su: incorrect password” Errors


4 views

When setting up SSSD to authenticate against an LDAP server, encountering password rejection despite correct credentials can be particularly frustrating. The error manifests as:

$ su - leopetr4
Password:
su: incorrect password

Yet the system correctly identifies the user through id commands, indicating the LDAP integration is partially working.

The critical elements in this scenario are:

# /etc/sssd/sssd.conf
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_id_use_start_tls = true

From the logs, we observe these critical patterns:

pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)
sssd[be[LDAP]]: Backend returned: (0, 7, <NULL>) [Success]

The error code 7 indicates authentication failure despite successful LDAP binding.

The LDAP entry shows SHA1 hashing:

userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89
# Decodes to:
{SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=

SSSD by default expects either clear text passwords or more modern hashes. We need to explicitly configure password hashing:

ldap_user_objectsid = no
ldap_user_ssh_public_key = no
ldap_user_password = {SHA}

The LDAP server logs show potential TLS issues:

slapd[15353]: connection_read(31): unable to get TLS client DN

Add these parameters to sssd.conf:

ldap_tls_cacertdir = /etc/pki/tls/certs
ldap_tls_cipher_suite = HIGH:!SSLv2
ldap_tls_reqcert = allow

For real-time troubleshooting:

# Increase debug level temporarily
sssctl domain-log-level LDAP --level=9

# Check authentication flow
sssctl user-checks leopetr4

# Verify cache
sssctl cache-expire

Here's a verified working configuration:

[domain/LDAP]
cache_credentials = true
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=People,dc=example,dc=com
ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_password = {SHA}
ldap_access_filter = (objectClass=posixAccount)
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
ldap_tls_reqcert = allow

After making changes, always restart services:

systemctl restart sssd
systemctl restart sssd-kcm

If SHA hashes continue to cause issues, consider migrating to:

  1. SSHA (Salted SHA)
  2. PBKDF2
  3. Cleartext with TLS (not recommended for production)

For PBKDF2 implementation:

# OpenLDAP configuration
password-hash {PBKDF2-SHA512}
password-crypt-salt-format "$6$%.16s"

When setting up LDAP authentication with SSSD, nothing's more frustrating than seeing your system recognize users but reject valid passwords. Here's what's happening in our scenario:

$ su - leopetr4
Password: 
su: incorrect password

$ id leopetr4
uid=9583(leopetr4) gid=9583(leopetr4) groups=9583(leopetr4)

The current SSSD configuration shows proper LDAP connectivity but fails at the authentication step:

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://my_hostname.my_domain.com
ldap_search_base = dc=my_domain,dc=com
ldap_tls_reqcert = never

The LDAP entry shows the password is stored as SHA1 hash:

userPassword:: e1NIQX1vUk5PMWozMXdtdDVIVkVhZmNtNWYvU1Jmam89
(decodes to {SHA}oRNO1j31wmt5HVEafcm5f/SRfjo=)

This matches exactly what slappasswd -c {SHA} "that_password" generates, but SSSD isn't accepting it.

We need to modify the SSSD configuration to explicitly handle password hashing:

[domain/LDAP]
# Add these parameters
ldap_id_mapping = False
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_user_gecos = gecos
ldap_user_home_directory = homeDirectory
ldap_user_shell = loginShell
ldap_auth_disable_tls_never_use_in_production = true
ldap_default_bind_dn = cn=admin,dc=my_domain,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = your_admin_password

The logs reveal authentication failure (return code 7):

pam_sss(su-l:auth): received for user leopetr4: 7 (Authentication failure)

This typically indicates either:

  • Password format mismatch
  • Bind DN issues
  • TLS/SSL problems

First, test basic LDAP connectivity:

ldapsearch -x -W -D "cn=admin,dc=my_domain,dc=com" \
-H ldaps://my_hostname.my_domain.com \
-b "dc=my_domain,dc=com" "(uid=leopetr4)"

SSSD needs explicit instructions for password hashing. Add these to your domain section:

ldap_user_password = userPassword
ldap_user_shadow_last_change = shadowLastChange
ldap_user_shadow_min = shadowMin
ldap_user_shadow_max = shadowMax
ldap_user_shadow_warning = shadowWarning
ldap_password_hash = {SHA}

Then restart SSSD:

systemctl restart sssd

If SHA1 isn't mandatory, consider stronger hashing in LDAP:

# Create SSHA (salted SHA) password
slappasswd -h {SSHA} -s "yourpassword"

# Or stronger yet:
slappasswd -h {SHA512} -s "yourpassword"

Remember to update the ldap_password_hash parameter accordingly.

After changes, verify with:

sssctl domain-status LDAP
getent passwd leopetr4
su - leopetr4

Check logs for confirmation:

journalctl -u sssd -f
tail -f /var/log/sssd/*.log