sssd.conf: [domain/LDAP] enumerate = False cache_credentials = False id_provider = ldap auth_provider = ldap ldap_uri = ldap://server:port ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = ou=People,dc=xxxx,dc=xxxx,c=us ldap_default_bind_dn = uid=xxx,ou=xx,dc=xxx,dc=xxx,c=us ldap_schema = rfc2307 ldap_default_authtok_type = password ldap_default_authtok = xxxx ldap_user_object_class = inetOrgPerson ldap_search_timeout = 60 ldap_network_timeout = 60 debug_level = 4 min_id = 0
ldap_user_uid_number = employeeNumber ldap_user_gid_number = employeeNumber ldap_user_gecos = cn [sssd] services = nss, pam config_file_version = 2 domains = LDAP [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] On Nov 13, 2014, at 9:20 AM, Nathan Robbins <nrobb...@olemiss.edu<mailto:nrobb...@olemiss.edu>> wrote: I have enumerate = False I will post sssd.conf shortly when I return to the office shortly. ----- Reply message ----- From: "Jakub Hrozek" <jhro...@redhat.com<mailto:jhro...@redhat.com>> To: "sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org>" <sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org>> Subject: [SSSD] Removing uidNumberfrom SSSD Search Filter Date: Thu, Nov 13, 2014 9:15 AM On Thu, Nov 13, 2014 at 03:04:44PM +0000, Nathan Robbins wrote: > Cool. I found that in the docs : ldap_user_uid_number and ldap_user_gid_number > > I set those to an attribute in my LDAP that has a numerical value, however, > still in the query sent to my ldap server, it has > (&(uidNumber=*)(!(uidNumber=0)) in the query. Do you have enumerate=true perchance? Can you paste your sssd.conf ? > > Even if I set min_id = 0 > > This causes my LDAP server to return no results, no matter what I do. I am > ok with mapping to another attribute, but unless I can override the search > filter and get rid of that “and” I probably won’t be able to make it work. > > Ideas? > > On Nov 13, 2014, at 3:43 AM, Jakub Hrozek > <jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote: > > > On Wed, Nov 12, 2014 at 08:15:49PM +0000, Nathan Robbins wrote: > >> I would like to try and accomplish a similar result with sssd, mainly in > >> order to get it functioning with samba. Is is possible for me to set it > >> up such that i build the local user account just like above, and then use > >> sssd *only* for authentication? > >> > >> N > > > > The released versions of SSSD can only serve POSIX users, that is, users > > who have an UID and a GID. You can either point SSSD to an attribute > > that contains the ID or map the ID from a Windows SID. > > > > The ID attribute doesn't have to be named uidNumber/gidNumber and with > > recent enough version you can even use the same LDAP attribute for both. > > But there has to be either a numerical ID attribute or a Windows SID to > > derive the ID from. > > _______________________________________________ > > sssd-devel mailing list > > sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org> > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org> > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org<mailto:sssd-devel@lists.fedorahosted.org> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
