On 05/10/2013 02:28 PM, Brandon Foster wrote:
cool that did it, And enumerate =true made the grep command work as well.
Enumeration is generally not recommended. The main reason it is very resource draining for the server and the client. It might be fine in your environment but in general we do not recommend the enumeration to be turned on.
We also do not recommend writing scripts that assume that enumeration is on. It is better to assume that only ever logged in users can be available on the system. Enumeration might be needed only if you have some other third party software that relies on the NSS users to be available for example if you use a database and users that use database are the same users that are server via SSSD to the DB application. There are other use cases but they are rare.
thanks!
On Fri, May 10, 2013 at 11:26 AM, Ondrej Valousek ovalousek@vendavo.com wrote:
Sssd does not enumerate by default so this is pretty much expected behaviour. Try "getent passwd username" instead. O.
Odesláno ze Samsung Mobile
Brandon Foster brandon.foster@liferay.com napsal: ok so after some modification of the ldap server and use of the override functions I was able to make it work. I can now id test.user and get a result, as well as log in as my ldap users.
But when I do getent passwd |grep <USER> i dont get anything back.
any ideas why?
On Thu, May 9, 2013 at 3:32 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, May 08, 2013 at 01:29:24PM -0400, Dmitri Pal wrote:
On 05/08/2013 12:57 PM, Brandon Foster wrote:
On Wed, May 8, 2013 at 9:52 AM, Sumit Bose sbose@redhat.com wrote:
On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote: > On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly) > GregWojtak@quickenloans.com wrote: >> I think your syntax is a little off. Try >> >> ldapsearch -x -LLL '(&(uid=test.user)(objectClass=posixAccount))' >> uid >> uidnumber homedirectory gidnumber loginshell >> >> You should have those 5 values returned. >> >> -- >> Greg Wojtak >> Senior Unix Systems Engineer >> Office: (313) 373-4306 >> Mobile: (734) 718-8472 >> >> >> >> >> >> >> On 5/8/13 11:52 AM, "Brandon Foster" brandon.foster@liferay.com >> wrote: >> >>> On Wed, May 8, 2013 at 5:05 AM, Sumit Bose sbose@redhat.com >>> wrote: >>>> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster wrote: >>>>> Hey all, >>>>> Im back with another ldap question. this time I rebuilt sssd and >>>>> followed this guide: >>>>> >>>>> >>>>> http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio >>>>> n-and-troubleshooting/ >>>>> for setting up ldap authentication on my centos 6.4 system. >>>>> >>>>> my firewall is off and selinux is disabled. >>>>> >>>>> when i do an ldapsearch -x "cn=test.user" it returns all the >>>>> correct >>>>> information, but doing id test.user returns no user. >>>> As you can see from the logs SSSD is using >>>> "(&(uid=test.user)(objectclass=posixAccount))" as search filter, >>>> can you >>>> check if ldapsearch with this filter finds the entry as well? >>>> Additionally can you check that the user object is located below >>>> the >>>> search base you have given in sssd.conf? >>>> >>>> HTH >>>> >>>> bye, >>>> Sumit >>>>> I've attached the log files and all of the relevant files and >>>>> maybe >>>>> some non relevant ones as well. >>>>> >>>>> it appears as tho it is searching for the user but is simply not >>>>> finding anything. Is there an option to search for cn=test.user? >>>>> and >>>>> not by uid? >>>>> >>>>> any help will be much appreciated. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> _______________________________________________ >>>>> sssd-users mailing list >>>>> sssd-users@lists.fedorahosted.org >>>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >>>> _______________________________________________ >>>> sssd-users mailing list >>>> sssd-users@lists.fedorahosted.org >>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >>> thanks for the reply, >>> the user is definitely under the groups in sssd.conf. >>> >>> ldapsearch with objectclass=posixAccount seems to be part of the >>> issue. Also it is searching for uid rather than the cn of the user. >>> >>> if I do ldapsearch -x "uid=<UID of test.user> it works fine >>> >>> if i do ldapsearch -x "uid=<UID of test.user>" >>> "objectclass=posixAccount" it does not. >>> >>> ldapsearch -x "uid=test.user" returns all of the users in the >>> search. >>> >>> and finally ldapsearch -x "uid=test.user" >>> "objectclass=posixAccount" >>> returns no users. >>> >>> so how do I tell my sssd to not use this filter? and to use cn >>> instead of >>> uid? >>> _______________________________________________ >>> sssd-users mailing list >>> sssd-users@lists.fedorahosted.org >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users >> _______________________________________________ >> sssd-users mailing list >> sssd-users@lists.fedorahosted.org >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users > sorry, not to familiar with the ldapsearch commands. > > anyways, test.user is not of objectclass posixAccoount so with that > filter nothing comes back, if I change it to cn= and objectclass=<an > objectlcass test.user is a part of> then it just returns the DN of > the > user. > > ldap_user_name = cn > ldap_user_object_class = > > attributes in sssd.conf seem to be altering these values for me when > i > search for the id of test.user. > > but it cant seem to find uiduidnumber homedirectory gidnumber or > loginshell attributes for my users. it looks that you are using a custom LDPA schema. You can map the default attributes for home directory etc to other values with
ldap_user_home_directory ldap_user_uid_number ldap_user_gid_number ldap_user_shell
respectively, see man sssd-ldap for more details, e.g. how to map group attributes.
HTH
bye, Sumit > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
yeah, a large part of my problem is that I did not set up this ldap.
is there a way I can assign say a gid or home directory rather than getting it from ldap?
gid - no
In general you can't override the group list the user is a member of but you can override the primary gid. See the "override_gid" option in man sssd.conf
but with home directory you can have a local override. See man pages for more details.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-- Brandon Foster Infrastructure Administrator
Liferay, Inc. Enterprise. Open Source. For life. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users