Undefined What were you trying to do that didn't work?
The following messages cuttle the log, interfering troubleshooting harder.
(2024-08-26 12:13:43): [be[example.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Inappropriate authentication(48), Anonymous access is not allowed. (2024-08-26 12:13:43): [be[example.com]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed.
When 389-DS (from either IPA or RHDS) has nsslapd-allow-anonymous-access: off,
Even with the ldap_default_bind_dn in sssd.conf
[domain/example]
id_provider = ipa # or ldap
auth_provider = ipa
# default ldap_sasl_auth should work
..
sssd_$domain.log still showed the debug level 2 message Inappropriate authentication(48),...:
(2024-08-26 12:13:43): [be[example.com]] [sdap_get_generic_op_finished] (0x0400): Search result: Inappropriate authentication(48), Anonymous access is not allowed. (2024-08-26 12:13:43): [be[example.com]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed.
The id resolution and authentication still works normally. KCS: Solution 6464501 also states that we can ignore the error.
Please provide the package NVR for which bug is seen:
sssd-2.9.4-6.el9_4.1.x86_64
How reproducible:
Always
Steps to reproduce
- At RHDS or IPA server. Turn off nsslapd-allow-anonymous-access in LDAP server
- In sssd, uses id_provider = ldap or ipa
- With id_provider=ldap, make sure there are valid `ldap_default_bind_dn` and credential
- With id_provider=ipa, make sure key of host principal host/host.example.com@EXAMPLE.COM works, so ldap_sasl_authid default value should work
- Restart sssd
Expected results
Suppress the error when you have valid bind DN or SASL auth ID
Actual results
(2024-08-26 12:13:43): [be[example.com]] [sdap_get_generic_op_finished] (0x0040): Unexpected result from ldap: Inappropriate authentication(48), Anonymous access is not allowed.
