-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Tue 23 Apr 2013 12:55:19 PM EDT, Brandon Foster wrote:
hey all, Im new to sssd and ldap so be gentle =)
I've followed some guides on how to set up sssd ldap client authentication on Centos 6.3 but mine doesnt seem to be working here is my sssd.conf
----- [sssd] config_file_version = 2 services = nss, pam domains = default
[nss] filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default] auth_provider = ldap debug_level = 9 enumerate = True cache_credentials = True chpass_provider = ldap entry_cache_timeout = 600 krb5_realm = EXAMPLE.COM krb5_server = kerberos.example.com ldap_chpass_uri = ldaps://xx.xx.xx.xx:<PORT>/ ldap_force_upper_case_realm = True id_provider = ldap ldap_group_member = uniquemember ldap_group_object_class = group ldap_id_use_start_tls = False ldap_pwd_policy = none ldap_search_base = ou=organizationunit3,ou=organizationunit2,ou=organizationunit1,o=example
ldap_schema = rfc2307bis
ldap_tls_cacertdir = /etc/openldap/cacerts ldap_tls_reqcert = never ldap_uri = ldaps://xx.xx.xx.xx:<PORT>/ ldap_user_gecos = displayName ldap_user_home_directory = unixHomeDirectory ldap_user_name = cn ldap_user_object_class = user
ldapsearcg -z 'cn=username' comes back with all the information about the user
but id username takes a really long time and then returns no such user.
here is a piece of the log:
...
(Tue Apr 23 12:51:29 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [defaultNamingContext] (Tue Apr 23 12:51:29 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [lastUSN] (Tue Apr 23 12:51:29 2013) [sssd[be[default]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [highestCommittedUSN]
To me it looks like its searching but not finding for some reason
any help would be much appreciated.
You truncated the log too early. It is only showing the connection to the LDAP server (and the determination of server capabilities). Please include the actual user search that should follow that.
I'm guessing your user might be missing something important, like uidNumber or gidNumber (or it's stored in a non-standard attribute name).