On Thu, Jul 16, 2015 at 03:12:52PM -0400, Christian Tardif wrote: > > > Hi, > > I'm working on setting a LDAP proxy (with OpenLDAP) to ActiveDirectory. > And testing the proxy with SSSD gives me strange results I don't > understand. When someone is trying to connect to a Linuxbox on which > SSSD is looking after the LDAP-Proxy, it fails because of a bad filter > thing (which is OK, as you'll see in the logs). The logs from SSSD > shows:
I've never tried this setup so I don't know if it would work, but you probably want to set ldap_user_objectsid=objectSID explicitly to avoid null in the filter. btw when using ID mapping together with LDAP provider, usually setting ldap_use_tokengroups=False is a good idea. > > (Thu Jul 16 14:51:00 2015) [sssd[be[DOMAIN]]] > [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with > [(&(uid=christian.tardif1)(objectclass=user)(uid=*)((null)=*))][ou=users,ou=outhing,dc=domain,dc=int]. > (Thu Jul 16 14:51:00 2015) [sssd[be[LABNHS]]] > [sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search > filter > > Look at that (null)=* thing. Where does that comes from ? My sssd.conf > looks like: > > [domain/DOMAIN] > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > access_provider = simple > ldap_uri = ldap://172.22.211.114/ > ldap_search_base = ou=outhing,dc=domain,dc=int > #ldap_default_bind_dn = cn=ldap > binduser,ou=others,ou=users,ou=outhing,dc=domain,dc=int > #ldap_default_authtok = B1ndPassw0rd! > ldap_default_bind_dn = cn=Manager,dc=domain,dc=int > ldaP_default_authtok = ********* > ldap_default_authtok_type = password > ldap_user_name = uid > ldap_user_object_class = user > ldap_user_search_base = ou=users,ou=outhing,dc=domain,dc=int > ldap_user_extra_attrs = mail > ldap_group_object_class = group > ldap_group_search_base = ou=groups,ou=outhing,dc=domain,dc=int > ldap_id_mapping = true > ldap_schema = rfc2307bis > ldap_tls_reqcert = never > ldap_id_use_start_tls = false > ldap_network_timeout = 6 > override_gid = 100 > enumerate = true > cache_credentials = true > cache_sensitive = false > entry_cache_timeout = 300 > debug_level = 6 > > [sssd] > services = nss, pam > config_file_version = 2 > domains = DOMAIN > > [nss] > filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd > override_homedir = /home/%u > default_shell = /bin/bash > > [pam] > > [sudo] > > [autofs] > > [ssh] > > Is something wrong in my config to create this (null)=* thing ? > -- > > CHRISTIAN TARDIF > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users