Off the top, the LDAP server can not resolve in DNS, so it's setting the LDAP
server name to the IP, the IP is not in your cert as a SAN that I can see.
> On 12/07/2022 12:10 AM Jarett DeAngelis wrote:
>
>
> Hi Sumit,
>
> Thank you! You made me realize I never updated PAM using
Rather than filtering off a single group, why not use the simple_allow_groups
key value? This will allow mulitiple groups to access the system should the
need ever arise.
For the local users, that is outside sssd for the most part, look at your pam
configs and nsswitch.
> On June 10, 2020
Why on earth would you assign a numeric value to a uid? Just do a ldapmodify
and replace the uid with a valid userid (eg. jsmith) and replace uidNumber with
the previous value, then get rid of the:
ldap_user_uid_number = uid
ldap_user_gid_number = uid
stuff, you can do this in one ldif with
dn:
In LDAP what are the uidNumber and uid attributes for a sample user?
> On March 10, 2020 at 2:45 PM Michael Lake wrote:
>
> Hi
>
> But I'd still have the problem that my UNIX username needs to be POSIX
> compliant. So if my number is 123456 and my email is mike.l...@uts.edu.au
>
When 389 is used for start_tls, think of it as a unecrypted handshake sort of
like this:
client: Yo bro sup, want to encrypt our connections?
server: Ya man, what can you do?
client: I support these ciphers
server: no shit, me too, lets do AES-Foo56
server: here is my cert
client: oh sweet I can
This is NOT an OUD issue, it's not really and issue for sssd either.
Look at your sssd.conf, are you caching?
What is the time to live?
What does your pam auth for session section look like is sss optional or
required?
Can you post your sssd.conf, pam.d/system-auth? (strip out the sensitive
I'm trying to determine if he is just using the pam stack and local sudoers or
sssd/nsswitch to lookup/AuthZ sudoers in LDAP.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
Are you using a SUDO domain? and LDAP as your sudo and id provider? What does
your sssd look like?
If you have the Sudoers object class in ldap you can use match users/groups,
deny certain hosts, or certain users/groups..
sudoUser: %MyGroup
sudoUser: !YourGroup
sudoHost:
I'm just going to leave this here:
Read RFC 2307 and pay attention to section 5.2. Affected library functions.
Good luck!
> On August 12, 2019 at 12:21 PM Jane Eason wrote:
>
>
> We do not have the uid number in LDAP.
>
> In our LDAP uid is the username, so LDAP has e.g. uid=bob. There is a
[(&(uid=myuser)(objectclass=inetorgperson)(&(uid=*)(!(uid=0][ou=people,ou=primary,ou=eid,dc=my,dc=edu].
what does an ldapsearch with objectclass=inetorgperson uid=\* return? and do
you also have a uidnumber attribute?
> On August 12, 2019 at 12:55 AM Jakub Hrozek wrote:
>
>
> On Fri,
What does your LDAP domain section look like and why are you not using the
POSIX object class for uids?
> On August 9, 2019 at 12:01 PM Jane Eason wrote:
>
>
> Hello,
>
> We are attempting to get LDAP logins set up with sssd on RHEL 7.6.
>
> sssd is able to look up the user against the
11 matches
Mail list logo
