Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate. Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it? We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent): (Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|([email protected])([email protected])(krbPrincipalName=myuser\\@[email protected]))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com]. This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc). [domain/mydomain] id_provider = ldap auth_provider = krb5 access_provider = ldap ldap_use_tokengroups = False ldap_group_nesting_level = 0 cache_credentials = True case_sensitive = true account_cache_expiration = 5 enumerate = False # for performance ldap_referrals = False ldap_id_mapping = False ignore_group_members = True # provide the schema for services for unix ldap_schema = rfc2307bis ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd/certs ldap_search_timeout = 6 ldap_disable_range_retrieval = False ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = <removed> ldap_default_authtok = <removed> ldap_search_base = <removed>?subtree? ldap_user_search_base = <removed> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName ldap_group_search_base = ou=Groups,... ldap_group_object_class = group ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=... ldap_access_order = filter ldap_force_upper_case_realm = True # required krb5_canonicalize = False krb5_store_password_if_offline = True krb5_server = <removed> krb5_backup_server = <removed> krb5_realm = MYDOMAIN.EXAMPLE.COM krb5_renewable_lifetime = 7d krb5_auth_timeout = 15 krb5_lifetime = 24h Still digging myself but haven't turned over the relevant rock. =G=
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
