Re: [SSSD-users] RHEL5, sssd and the Global Catalog
On Tue, May 07, 2013 at 02:35:00PM -0400, will_dar...@navyfederal.org wrote: >Have configured a couple of hundred hosts to use sssd w/ LDAP to connect >to the Global Catalog of a Windows 2008 Domain for identify and >authentication. All of my RHEL6 servers appear to be fine, however >certain accounts on certain systems in my RHEL5 environments are having >issues. > I'm not aware of differences between RHEL5 and RHEL6 codebase with respect to LDAP searches that might cause this problem. >upon su - I get the following >[root@slvdcls15 ~]# su - wasadmin >id: cannot find name for user ID 1209 >id: cannot find name for user ID 1209 > >issuing a crontab -l also seems problematic... > >$ crontab -l >crontab: your UID isn't in the passwd file. >bailing out. > >However querying sssd for info seems ok >$ id >uid=1209(wasadmin) gid=1209(was) groups=1209(was) > >$ getent passwd wasadmin >wasadmin:*:1209:1209:WebSphere admin:/home/wasadmin:/bin/ksh > >Appreciate any advise assistance in troubleshooting > >Package info >sssd-1.5.1-58.el5 > >Releaee >2.6.18-348.3.1.el5 > >/etc/sssd/sssd.conf >[domain/sample] >description = Domain >debug_level = 9 I see you already raised debugging in the domain section, can you paste or attach the domain logs? Feel free to sanitize them first to remove any sensitive information.. Can you also put the debug_level stanza to the [nss] section to gather logs from the NSS responder? >enumerate = false >id_provider = ldap >auth_provider = ldap >chpass_provider = ldap >access_provider = ldap > >ldap_uri = ldaps://:3269 >ldap_tls_cacertdir = /etc/openldap/cacerts >ldap_tls_cacert = /etc/openldap/cacerts/certificate.cer >ldap_search_base = dc=domain,dc=net >ldap_default_bind_dn = cn=aixldap,OU=service >accounts,DC=sub,DC=domain,DC=net >ldap_default_authtok_type = password >ldap_default_authtok = >ldap_access_filter = > > (|(department=*unixadmin*)(department=*tools*)(department=*was*)(department=*oracle*)) >ldap_pwd_policy = none >ldap_user_name = cn >ldap_user_object_class = user >ldap_group_object_class = group >ldap_schema = rfc2307bis >ldap_user_home_directory = unixHomeDirectory >ldap_tls_reqcert = never >ldap_referrals = false >case_sensitive = false > >[sssd] > >services = nss, pam >config_file_version = 2 >domains = nfcu > >[nss] > >[pam] >offline_credentials_expiration = 5 > >[sudo] > >[autofs] > >[ssh] > >/* - >Will Darton >I.T. Operations >Information Services >Navy Federal Credit Union >wk 703.255.8639 >cell: 703.232.2344 >will_dar...@navyfederal.org >*/ > ___ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Ldap Help
On Wed, May 08, 2013 at 01:29:24PM -0400, Dmitri Pal wrote: > On 05/08/2013 12:57 PM, Brandon Foster wrote: > > On Wed, May 8, 2013 at 9:52 AM, Sumit Bose wrote: > >> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote: > >>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly) > >>> wrote: > I think your syntax is a little off. Try > > ldapsearch -x -LLL '(&(uid=test.user)(objectClass=posixAccount))' uid > uidnumber homedirectory gidnumber loginshell > > You should have those 5 values returned. > > -- > Greg Wojtak > Senior Unix Systems Engineer > Office: (313) 373-4306 > Mobile: (734) 718-8472 > > > > > > > On 5/8/13 11:52 AM, "Brandon Foster" wrote: > > > On Wed, May 8, 2013 at 5:05 AM, Sumit Bose wrote: > >> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster wrote: > >>> Hey all, > >>> Im back with another ldap question. this time I rebuilt sssd and > >>> followed this guide: > >>> > >>> http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio > >>> n-and-troubleshooting/ > >>> for setting up ldap authentication on my centos 6.4 system. > >>> > >>> my firewall is off and selinux is disabled. > >>> > >>> when i do an ldapsearch -x "cn=test.user" it returns all the correct > >>> information, but doing id test.user returns no user. > >> As you can see from the logs SSSD is using > >> "(&(uid=test.user)(objectclass=posixAccount))" as search filter, can > >> you > >> check if ldapsearch with this filter finds the entry as well? > >> Additionally can you check that the user object is located below the > >> search base you have given in sssd.conf? > >> > >> HTH > >> > >> bye, > >> Sumit > >>> I've attached the log files and all of the relevant files and maybe > >>> some non relevant ones as well. > >>> > >>> it appears as tho it is searching for the user but is simply not > >>> finding anything. Is there an option to search for cn=test.user? and > >>> not by uid? > >>> > >>> any help will be much appreciated. > >> > >> > >> > >> > >> > >> > >> > >> > >>> ___ > >>> sssd-users mailing list > >>> sssd-users@lists.fedorahosted.org > >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users > >> ___ > >> sssd-users mailing list > >> sssd-users@lists.fedorahosted.org > >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > thanks for the reply, > > the user is definitely under the groups in sssd.conf. > > > > ldapsearch with objectclass=posixAccount seems to be part of the > > issue. Also it is searching for uid rather than the cn of the user. > > > > if I do ldapsearch -x "uid= it works fine > > > > if i do ldapsearch -x "uid=" > > "objectclass=posixAccount" it does not. > > > > ldapsearch -x "uid=test.user" returns all of the users in the search. > > > > and finally ldapsearch -x "uid=test.user" "objectclass=posixAccount" > > returns no users. > > > > so how do I tell my sssd to not use this filter? and to use cn instead > > of > > uid? > > ___ > > sssd-users mailing list > > sssd-users@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > ___ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > >>> > >>> sorry, not to familiar with the ldapsearch commands. > >>> > >>> anyways, test.user is not of objectclass posixAccoount so with that > >>> filter nothing comes back, if I change it to cn= and objectclass= >>> objectlcass test.user is a part of> then it just returns the DN of the > >>> user. > >>> > >>> ldap_user_name = cn > >>> ldap_user_object_class = > >>> > >>> attributes in sssd.conf seem to be altering these values for me when i > >>> search for the id of test.user. > >>> > >>> but it cant seem to find uiduidnumber homedirectory gidnumber or > >>> loginshell attributes for my users. > >> it looks that you are using a custom LDPA schema. You can map the > >> default attributes for home directory etc to other values with > >> > >> ldap_user_home_directory > >> ldap_user_uid_number > >> ldap_user_gid_number > >> ldap_user_shell > >> > >> respectively, see man sssd-ldap for more details, e.g. how to map group > >> attributes. > >> > >> HTH > >> > >> bye, > >> Sumit > >>> ___ > >>> sssd-users mailing list > >>> sssd-users@lists.fedorahosted.org > >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users > >> _
[SSSD-users] Nested Groups in ldap_access_filter?
I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to. The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say: cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,… Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access? As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line? Thanks! -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Nested Groups in ldap_access_filter?
What about configuring sssd to make use of the POSIX attributes in AD and define those attributes only for people you want to allow in? Sound the easiest form to me. Ondrej -Original Message- From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Wojtak, Greg (Superfly) Sent: Thursday, May 09, 2013 3:09 PM To: End-user discussions about the System Security Services Daemon Subject: [SSSD-users] Nested Groups in ldap_access_filter? I'm trying to set up sssd with access_provider = ldap. I'm having a little trouble getting the ldap_access_filter working the way I want to. The way I want to do it is to create a Resource Group in AD that contains the Unix Team group and then whichever users need access to the system. So we'd have, say: cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… member: cn=User A,… member: cn=User B,… Is there a way to craft the ldap_access_filter based on the above such that the members of Unix Team and then the two users will be allowed access? As an ancillary question to this, I'd like some clarification of how ldap_access_filter works exactly. Is it simply that the user's DN who is trying to login needs to match a result of the query specified in the access filter line? Thanks! -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Nested Groups in ldap_access_filter?
Because just about everyone in our organization will have the POSIX attributes, but we don't want everyone to be able to log into every server. For example, we have bankers that will ONLY log into our origination system, the engineers and admins log in everywhere, the devs log into dev and sometimes test but not prod or staging, etc. We're using netgroups to control this now, but that isŠ icky. -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 On 5/9/13 9:26 AM, "Ondrej Valousek" wrote: >What about configuring sssd to make use of the POSIX attributes in AD and >define those attributes only for people you want to allow in? >Sound the easiest form to me. > >Ondrej > >-Original Message- >From: sssd-users-boun...@lists.fedorahosted.org >[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Wojtak, >Greg (Superfly) >Sent: Thursday, May 09, 2013 3:09 PM >To: End-user discussions about the System Security Services Daemon >Subject: [SSSD-users] Nested Groups in ldap_access_filter? > >I'm trying to set up sssd with access_provider = ldap. I'm having a >little trouble getting the ldap_access_filter working the way I want to. > >The way I want to do it is to create a Resource Group in AD that contains >the Unix Team group and then whichever users need access to the system. >So we'd have, say: > >cn=Server1AccessGroup,ou=Groups,Š. >member: cn=Unix Team,ou=Groups,Š >member: cn=User A,Š >member: cn=User B,Š > > >Is there a way to craft the ldap_access_filter based on the above such >that the members of Unix Team and then the two users will be allowed >access? > >As an ancillary question to this, I'd like some clarification of how >ldap_access_filter works exactly. Is it simply that the user's DN who is >trying to login needs to match a result of the query specified in the >access filter line? > >Thanks! > >-- >Greg Wojtak >Senior Unix Systems Engineer >Office: (313) 373-4306 >Mobile: (734) 718-8472 >___ >sssd-users mailing list >sssd-users@lists.fedorahosted.org >https://lists.fedorahosted.org/mailman/listinfo/sssd-users >___ >sssd-users mailing list >sssd-users@lists.fedorahosted.org >https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Nested Groups in ldap_access_filter?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote: > I'm trying to set up sssd with access_provider = ldap. I'm having > a little trouble getting the ldap_access_filter working the way I > want to. > > The way I want to do it is to create a Resource Group in AD that > contains the Unix Team group and then whichever users need access > to the system. So we'd have, say: > > cn=Server1AccessGroup,ou=Groups,…. member: cn=Unix Team,ou=Groups,… > member: cn=User A,… member: cn=User B,… > > > Is there a way to craft the ldap_access_filter based on the above > such that the members of Unix Team and then the two users will be > allowed access? > > As an ancillary question to this, I'd like some clarification of > how ldap_access_filter works exactly. Is it simply that the user's > DN who is trying to login needs to match a result of the query > specified in the access filter line? > If you're basing access control entirely off of group membership, then you would probably have better luck by doing: access_provider = simple simple_allow_groups = Server1AccessGroup This assumes that Server1AccessGroup and "Unix Team" are both Posix Groups (they have a GID assigned) and are visible when doing 'getent group Server1AccessGroup'. The way the access filter works is that it's ANDed with a lookup string for the user. So it only works based on values that are present in the *user* entry. So you could create a filter for the presence of the memberOf=cn=Server1AccessGroup,ou=Groups,… But the catch here is that AD has only one-level memberOf (it only lists the direct parent, not any nested parents). Thus with Active Directory it's probably better to use the simple_allow_groups method, since that handles the nesting properly. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGLpugACgkQeiVVYja6o6ORGQCdGyvgT9vxHf83AWXW3ujoCfrv ynUAni/G3ZIk4lC8aLWm/CoeqjWize/4 =tnph -END PGP SIGNATURE- ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Nested Groups in ldap_access_filter?
Thanks for the help. Would a similar solution be to set the ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...)) with the server1access group containing the member's dn's? The reason I ask this is so that we can avoid having to assign gidnumbers to these groups? -- Greg Wojtak Senior Unix Systems Engineer Office: (313) 373-4306 Mobile: (734) 718-8472 On 5/9/13 9:38 AM, "Stephen Gallagher" wrote: >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA1 > >On 05/09/2013 09:08 AM, Wojtak, Greg (Superfly) wrote: >> I'm trying to set up sssd with access_provider = ldap. I'm having >> a little trouble getting the ldap_access_filter working the way I >> want to. >> >> The way I want to do it is to create a Resource Group in AD that >> contains the Unix Team group and then whichever users need access >> to the system. So we'd have, say: >> >> cn=Server1AccessGroup,ou=Groups,Š. member: cn=Unix Team,ou=Groups,Š >> member: cn=User A,Š member: cn=User B,Š >> >> >> Is there a way to craft the ldap_access_filter based on the above >> such that the members of Unix Team and then the two users will be >> allowed access? >> >> As an ancillary question to this, I'd like some clarification of >> how ldap_access_filter works exactly. Is it simply that the user's >> DN who is trying to login needs to match a result of the query >> specified in the access filter line? >> > > >If you're basing access control entirely off of group membership, then >you would probably have better luck by doing: > >access_provider = simple >simple_allow_groups = Server1AccessGroup > >This assumes that Server1AccessGroup and "Unix Team" are both Posix >Groups (they have a GID assigned) and are visible when doing 'getent >group Server1AccessGroup'. > > >The way the access filter works is that it's ANDed with a lookup >string for the user. So it only works based on values that are present >in the *user* entry. So you could create a filter for the presence of >the memberOf=cn=Server1AccessGroup,ou=Groups,Š > >But the catch here is that AD has only one-level memberOf (it only >lists the direct parent, not any nested parents). Thus with Active >Directory it's probably better to use the simple_allow_groups method, >since that handles the nesting properly. >-BEGIN PGP SIGNATURE- >Version: GnuPG v1.4.13 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >iEYEARECAAYFAlGLpugACgkQeiVVYja6o6ORGQCdGyvgT9vxHf83AWXW3ujoCfrv >ynUAni/G3ZIk4lC8aLWm/CoeqjWize/4 >=tnph >-END PGP SIGNATURE- >___ >sssd-users mailing list >sssd-users@lists.fedorahosted.org >https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Nested Groups in ldap_access_filter?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/09/2013 09:58 AM, Wojtak, Greg (Superfly) wrote: > Thanks for the help. Would a similar solution be to set the > ldap_access_filter to (&(cn=unix team,Š)(cn=server1access,...)) > with the server1access group containing the member's dn's? The > reason I ask this is so that we can avoid having to assign > gidnumbers to these groups? > This won't work because the user will only have one or the other memberOf attribute. You *could* do: ldap_access_filter(|(memberOf=cn=unix time...)(memberOf=cn=server1access...)) (note the OR there). But the problem with this is that you will need to update your client configuration manually any time a new group is added to the nesting. That's why I'd recommend just assigning POSIX attributes and using the simple access provider. Also, feel free to open an RFE to request a nested-non-POSIX access provider extension for LDAP in our bug tracker at https://fedorahosted.org/sssd You're not the first person to ask for it, but it's trickier than you might expect to get it right. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlGLrjgACgkQeiVVYja6o6MRqACgiIhdn+/bJVTGswLFU+gznsUE BPYAoJ8q0ACOair18Eof2ICPdEb+TdHF =w7NP -END PGP SIGNATURE- ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[SSSD-users] Multiple ldap accounts for sudo and users in sssd.conf
Hi there, We have two different ldap "accounts". One is used to get user account information and the other is used get sudo information. Is there way to have two ldap_default_bind_dn's and ldap_default_authtok's for each of these account configured in sssd.conf. Thanks Mickeyg ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] Multiple ldap accounts for sudo and users in sssd.conf
On Thu, May 09, 2013 at 04:20:43PM +0100, michael gabriel wrote: > Hi there, > > We have two different ldap "accounts". One is used to get user account > information and the other is used get sudo information. > > Is there way to have two ldap_default_bind_dn's and ldap_default_authtok's > for each of these account configured in sssd.conf. No, currently that's not possible, sorry. The SSSD currently only keeps one connection to the LDAP server open for retrieving identity information and only performs binds to authenticate users. Is there a reason you don't want to use the "sudo" account to read user information as well? Is only the other account permitted to read non-sudoers information? ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek)
On Thu, May 09, 2013 at 09:39:07AM -0400, will_dar...@navyfederal.org wrote: >If this comes across as HTML sorry.. gotta find a better mail client for >mailing lists... :/ >I grabbed these logs right after attempting a su - espadmin, so that >should narrow down whats there. I should mention this happens on any >RHEL5 server, not just this specific one, but it only happens with a >couple of accounts from the Global Catalog, not all of them... >Which leads me to believe its something specific to RHEL5 and these two >accounts.. just not sure what is missing that RHEL5 is expecting? > >Thanks for the assist. > Here is one peculiar thing - the SSSD was searching for a user entry and got two results. Are you sure you're not seeing a similar message on the RHEL6 clients? >(Thu May 9 09:34:47 2013) [sssd[be[nfcu]]] [sdap_get_initgr_user] (2): >Expected one user entry and got 2 The other interesting point I found in the logs is: >(Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (9): Save >user >(Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (1): no uid >provided for [ESPAdmin] in domain [nfcu]. It seems that the SSSD didn't find the UID number..are you sure the SSSD is configured to read the correct attributes (and you're not missing a mapping to e.g. msSFU30UidNumber) ? Can you check if the POSIX attributes are replicated to the Global Catalog (sorry, in a rush right now, can't check). Can you simulate the search using ldapsearch? Something like: $ ldapsearch -H ldap://your.server:3268 -D "bind_dn" -w "bind_pwd" -b DC=nfcu,DC=net '(&(cn=espadmin)(objectclass=user)' ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek)
wrote on 05/09/2013 02:44:00 PM: > From: Jakub Hrozek > To: , > Date: 05/09/2013 02:44 PM > Subject: Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek) > Sent by: > > On Thu, May 09, 2013 at 09:39:07AM -0400, will_dar...@navyfederal.org wrote: > > If this comes across as HTML sorry.. gotta find a better mail client for > > mailing lists... :/ > > I grabbed these logs right after attempting a su - espadmin, so that > > should narrow down whats there. I should mention this happens on any > > RHEL5 server, not just this specific one, but it only happens with a > > couple of accounts from the Global Catalog, not all of them... > > Which leads me to believe its something specific to RHEL5 and these two > > accounts.. just not sure what is missing that RHEL5 is expecting? > > > > Thanks for the assist. > > > > Here is one peculiar thing - the SSSD was searching for a user entry and > got two results. Are you sure you're not seeing a similar message on the > RHEL6 clients? > > > (Thu May 9 09:34:47 2013) [sssd[be[nfcu]]] [sdap_get_initgr_user] (2): > > Expected one user entry and got 2 > I did get the same error on the RHEL6 side, but it does not prevent su - espadmin [root@slvdcls40 sssd]# grep "got 2" sssd_nfcu.log (Thu May 9 15:03:09 2013) [sssd[be[nfcu]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 (Thu May 9 15:03:09 2013) [sssd[be[nfcu]]] [sdap_get_initgr_user] (0x0040): Expected one user entry and got 2 I'm having the AD Engineers doublecheck me here, but I did find this: # espadmin, SecureUsers, UserAccounts, hq.nfcu.net dn: CN=espadmin,OU=SecureUsers,OU=UserAccounts,DC=hq,DC=nfcu,DC=net cn: espadmin department: esp uid: espadmin loginShell: /bin/ksh unixHomeDirectory: /home/espadmin gecos: ESP Admin gidNumber: 1501 uidNumber: 1501 # ESPAdmin, !UserAccounts, nfcu.net dn: CN=ESPAdmin,OU=!UserAccounts,DC=nfcu,DC=net cn: ESPAdmin sn: ESPAdmin Would/should RHEL5 and RHEL6 have a difference in their response to multiple accounts ? > The other interesting point I found in the logs is: > > (Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (9): Save > > user > > (Thu May 9 09:34:46 2013) [sssd[be[nfcu]]] [sdap_save_user] (1): no uid > > provided for [ESPAdmin] in domain [nfcu]. > > It seems that the SSSD didn't find the UID number..are you sure the SSSD > is configured to read the correct attributes (and you're not missing a > mapping to e.g. msSFU30UidNumber) ? I haven't messed with any mappings save for one: ldap_user_name = cn So if there is another location where I could validate this and you can let me know I'll take a look. I don't see that attribute msSFU30UidNumber in the ldapsearch above (either via ldaps or Global Catalog). > > Can you check if the POSIX attributes are replicated to the Global > Catalog (sorry, in a rush right now, can't check). Here's the POSIX attributes, which I'm fairly certain are all there # espadmin, SecureUsers, UserAccounts, hq.nfcu.net dn: CN=espadmin,OU=SecureUsers,OU=UserAccounts,DC=hq,DC=nfcu,DC=net cn: espadmin department: esp uid: espadmin loginShell: /bin/ksh unixHomeDirectory: /home/espadmin gecos: ESP Admin gidNumber: 1501 uidNumber: 1501 # ESPAdmin, !UserAccounts, nfcu.net dn: CN=ESPAdmin,OU=!UserAccounts,DC=nfcu,DC=net cn: ESPAdmin sn: ESPAdmin # search result search: 2 result: 0 Success > > Can you simulate the search using ldapsearch? > > Something like: > $ ldapsearch -H ldap://your.server:3268 -D "bind_dn" -w "bind_pwd" - > b DC=nfcu,DC=net '(&(cn=espadmin)(objectclass=user)' > > ___ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users /* - Will Darton I.T. Operations Information Services Navy Federal Credit Union wk 703.255.8639 cell: 703.232.2344 will_dar...@navyfederal.org */ ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
