[SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7

[Murdoch, Steven]

Hi Lukas,

I setup LDAP from scratch, as my sole intention at this point is to test SSSD 
Auth LDAP in out test lab environment.
So the 2 VM's both Centos, are only test machines - when working I will take 
notes for the production environment later.

Thanks

-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com] 
Sent: 25 January 2016 17:59
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server 
CentOS6.7

On (25/01/16 15:55), Murdoch, Steven wrote:
>Hi Sumit,
>
>I think I have managed to add in the posixAccount to a user - when I 
>ldapsearch from the client - I get this info for this user:
>
>
># mxx, Users, vmlab.ari.cdk.hosting
>dn: uid=mxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting
>cn: Mike xx
>sn: xx
>objectClass: inetOrgPerson
>objectClass: posixAccount
>userPassword:: cEBzc3cwcmQ=
>uid: mxx
>uidNumber: 504
>gidNumber: 100
>homeDirectory: /home/mxx
>
>..I then tried getent passwd - but same as before I only get local users !
>Is there something else that needs a tweak to allow 'getent passwd' to show 
>the ldap users?
>
I have a small question.
Do you setup your LDAP server from scratch or do you migrate from different 
client (nss-pam-ldapd) to sssd?

If you setup LDAP server from scratch
Then might be easier to install FreeIPA for you.
http://www.freeipa.org

The packages are in fedora + CentOS. There are also some packages in debian 
unstable.

LS
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

--
This message and any attachments are intended only for the use of the addressee 
and may contain information that is privileged and confidential. If the reader 
of the message is not the intended recipient or an authorized representative of 
the intended recipient, you are hereby notified that any dissemination of this 
communication is strictly prohibited. If you have received this communication 
in error, notify the sender immediately by return email and delete the message 
and any attachments from your system.
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

[SSSD-users] speeding up iterative enumeration?

[James Ralston]

We are using the ad provider for sssd, with the id mapping feature
enabled.

We have a program that obtains a list of all Active Directory users and
groups via LDAP, and then calls getpwnam()/getgrnam() on those users
and groups.

(We used to accomplish this enumeration simply by enabling enumeration
within sssd.  But the performance issues this created for sssd,
combined with the threat of the removal of the enumeration feature,
made us search for a different solution.)

Here's the problem: unless the user/group objects already happen to be
in sssd's cache, enumerating the passwd/group entries in this way is
very slow: 3-5 entries per second, at best.  For a larger AD domain,
the program can take 10-15 minutes to perform this iterative
enumeration, which is much longer than we'd prefer.

Can anyone think of a way to make this iterative enumeration go
faster?

One thing we're considering is having our program synthesize the
passwd and group entries itself, rather than having sssd do it via
getpwnam()/getgrnam() calls.  We'll still have to look up at least one
entry (to determine the slice starting point for the ID mapping), but
since we can obtain each object's RID from AD, once we know the
starting offset, we can calculate the uid/gid values.  After that, all
we need to do is synthesize the rest of the fields from the object's
AD properties, the same as sssd.

Thoughts?  Is there a way to accelerate iterative enumeration, or
should we just give up and replicate the logic sssd uses to generate
passwd/group entries?
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7

[Murdoch, Steven]

Hi Sumit - The good news is - # getent passwd is now working - I can see all my 
LDAP users:



.
rpc:x:32:32:Rpcbind Daemon:/var/cache/rpcbind:/sbin/nologin

rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin

nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin

mxx:*:502:502:Max xx:/home/max:

txx:*:501:501:Tom xx:/home/tom:

sxx:*:505:100:Steve xx:/home/sxx:

Manager:*:503:503:Manager:/home/Manager:

mxx:*:504:100:Mike xx:/home/mxx:

bjones:*:506:100:Bob Jones:/home/bjones:

admin:*:507:100:admin:/home/admin:

[root@SSSD-VM-Test db]#



.. the bad news is # getent group is not working and therefore (I am assuming) 
I cannot login on the client and get authorised via SSSD to the LDAP server.

I have added a group - this is what I added:



# groups, vmlab.ari.cdk.hosting

dn: ou=groups,dc=vmlab,dc=ari,dc=cdk,dc=hosting

objectClass: organizationalUnit

ou: groups

description: generic groups branch



..is this ok - or do I need to add more lines?



Many thanks for your help.







-Original Message-
From: Murdoch, Steve
Sent: 26 January 2016 10:58
To: sssd-users@lists.fedorahosted.org
Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & 
Server CentOS6.7



Hi Sumit,



The Primary group 100 exists on the LDAP Server and on the SSSD Client - but 
the users only exist on the LDAP server (no users added to SSSD).



Sorry, I am not clear what you mean:

> you have to add the primary group with GID 100 on the LDAP server as

> well



Attached are the nss and domain logs on the SSSD Client as requested.



Thanks



-Original Message-

From: Sumit Bose [mailto:sb...@redhat.com]

Sent: 25 January 2016 17:24

To: sssd-users@lists.fedorahosted.org

Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server 
CentOS6.7



On Mon, Jan 25, 2016 at 03:55:45PM +, Murdoch, Steven wrote:

> Hi Sumit,

>

> I think I have managed to add in the posixAccount to a user - when I 
> ldapsearch from the client - I get this info for this user:

>

>

> # mxx, Users, vmlab.ari.cdk.hosting

> dn: uid=mxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

> cn: Mike xx

> sn: xx

> objectClass: inetOrgPerson

> objectClass: posixAccount

> userPassword:: cEBzc3cwcmQ=

> uid: mxx

> uidNumber: 504

> gidNumber: 100

> homeDirectory: /home/mxx

>

> ..I then tried getent passwd - but same as before I only get local users !

> Is there something else that needs a tweak to allow 'getent passwd' to show 
> the ldap users?



you have to add the primary group with GID 100 on the LDAP server as well. If 
this still does not work please attach the nss and domain logs (see 
https://fedorahosted.org/sssd/wiki/Troubleshooting for details).



bye,

Sumit



>

> Thanks a lot.

>

> -Original Message-

> From: Murdoch, Steve

> Sent: 25 January 2016 14:55

> To: 'End-user discussions about the System Security Services Daemon'

> Subject: RE: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both

> Client & Server CentOS6.7

>

> Hi Sumit,

>

> Thanks for your help - I am trying to ldapmodify - added these lines to 
> mike.ldif:

>

> dn: uid=mx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting

> changetype: modify

> replace: objectClass

> objectClass: posixAccount

> uidNumber: 504

> userPassword: p@ssw0rd

> cn: Mike

> sn: xxx

> gidNumber: 100

> homeDirectory: /home/mxx

>

> I used only the first 4 lines - but it complained that I need a uidNumber  - 
> so I added in line 5, but then I get this:

> ldapmodify: wrong attributeType at line 5, entry 
> "uid=mxx,ou=Users,dc=vmlab,dc=ari,dc=cdk,dc=hosting"

>

> ...what am I doing wrong?

>

> Thanks

>

> -Original Message-

> From: Sumit Bose [mailto:sb...@redhat.com]

> Sent: 25 January 2016 13:57

> To: 
> sssd-users@lists.fedorahosted.org

> Subject: [SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client

> & Server CentOS6.7

>

> On Mon, Jan 25, 2016 at 01:15:46PM -, 
> steven.murd...@cdk.com wrote:

> >

> > Hi - I am new to SSSD and LDAP, and my first posting - so please bare with 
> > me.

> > # getent passwd only displays the local users - will not display the

> > LDAP users and is driving me insane - ldapsearch seems to work I am

> > using SSSD with TLS to authenticate to LDAP Server The CA.crt files were 
> > self signed certificates.

> > I used # cacertdir_rehash to create to create the sym-link to the

> > CA.crt on both Client and Server My LDAP Server hostname is 'ActDir-VM-Test'

> > My SSSD Client hostname is 'SSSD-VM-Test'

> >

> > Here are my files:

> >

> > Server - /etc/openldap/slapd.conf:

> >

> > allow bind_v2

> > allow bind_anon_dn

> > pidfile /var/run/openldap/slapd.pid

> > argsfile/var/run/openldap/slapd.args

> > 

[SSSD-users] disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

[James Ralston]

On Tue, Jan 26, 2016 at 3:03 PM, Jakub Hrozek  wrote:

> On Tue, Jan 26, 2016 at 02:19:42PM -0500, James Ralston wrote:
>
>> Here's the problem: unless the user/group objects already happen to be
>> in sssd's cache, enumerating the passwd/group entries in this way is
>> very slow: 3-5 entries per second, at best.  For a larger AD domain,
>> the program can take 10-15 minutes to perform this iterative
>> enumeration, which is much longer than we'd prefer.
>>
>> Can anyone think of a way to make this iterative enumeration go
>> faster?
>
> Did you try mounting the cache to tmpfs to get rid of the cache writes?
>
> [...]

That's… a very clever idea.

From testing using tmpfs to back /var/lib/sss/db, the speed of lookups
increases by about an order of magnitude: about 44 lookups per second,
instead of 4-5 lookups per second.  We have around 5,000 AD objects,
so the ~100 second wait would be tolerable.

A related question: is there any possibility of adding an option
to the ad backend to disable the filtering of distribution
groups (group type flag 0x8)?

It's a long story, but what we are trying to do here is to take
regular snapshots of our AD users and groups, and sssd's
getpwnam()/getgrnam() mapping is the perfect way to do it.  I think I
understand why distribution groups are filtered by default (they're
not security-enabled in AD, and can't be used in Windows ACLs), but in
this one particular case, we really do want to be able to enumerate
every single group.
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org