Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
Thanks in advance M.Soysal
On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote:
Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
Thanks in advance M.Soysal
Hi Mehmet,
I can only think about one approach - as attributes in LDAP are multivalued, you could create additional "uid" attribute value that would contain the e-mail as well.
Here is how the SSSD behaves wrt name attributes: 1) if there is a single attribute value, just use it. 2) if the attribute is multivalued 2a) If the RDN value corresponds to one of the attribute values, use it as the primary name and the others as "aliases". 2b) If the RDN value doesn't match to any of name values, pick the first one. 3) Lookups match both name and alias
So if you had a multivalued "uid" attribute that would contain both the name (uid=joe) and the e-mail (uid=joe@example.com) the name would be present in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe" as the primary name, joe@example.com as the alias and the NSS responder would match on both "joe" and "joe@xample.com".
I can't think of a way that would not require changes on the server side, sorry.
On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote:
On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote:
Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
It's not possible atm, but you could open a RFE against sssd to implement it. We had request to 'login by email' before.
Thanks in advance M.Soysal
Hi Mehmet,
I can only think about one approach - as attributes in LDAP are multivalued, you could create additional "uid" attribute value that would contain the e-mail as well.
Here is how the SSSD behaves wrt name attributes: 1) if there is a single attribute value, just use it. 2) if the attribute is multivalued 2a) If the RDN value corresponds to one of the attribute values, use it as the primary name and the others as "aliases". 2b) If the RDN value doesn't match to any of name values, pick the first one. 3) Lookups match both name and alias
So if you had a multivalued "uid" attribute that would contain both the name (uid=joe) and the e-mail (uid=joe@example.com) the name would be present in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe" as the primary name, joe@example.com as the alias and the NSS responder would match on both "joe" and "joe@xample.com".
I think this would cause you to get entries with multivalued RDNs
I can't think of a way that would not require changes on the server side, sorry.
There is a way that would require changes in SSSD :-)
Simo.
On Wed, Jul 10, 2013 at 10:08:23PM -0400, Simo Sorce wrote:
On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote:
On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote:
Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
It's not possible atm, but you could open a RFE against sssd to implement it. We had request to 'login by email' before.
Right, feel free to open a RFE.
Thanks in advance M.Soysal
Hi Mehmet,
I can only think about one approach - as attributes in LDAP are multivalued, you could create additional "uid" attribute value that would contain the e-mail as well.
Here is how the SSSD behaves wrt name attributes: 1) if there is a single attribute value, just use it. 2) if the attribute is multivalued 2a) If the RDN value corresponds to one of the attribute values, use it as the primary name and the others as "aliases". 2b) If the RDN value doesn't match to any of name values, pick the first one. 3) Lookups match both name and alias
So if you had a multivalued "uid" attribute that would contain both the name (uid=joe) and the e-mail (uid=joe@example.com) the name would be present in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe" as the primary name, joe@example.com as the alias and the NSS responder would match on both "joe" and "joe@xample.com".
I think this would cause you to get entries with multivalued RDNs
No, it works correctly, I actually tested it.
The user entry on the server looked like this (simplified): dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=example,dc=com uid: foo uid: foobar
On the client, both "getent passwd foo" and "getent passwd foobar" worked. The entry in cache looked like this: dn: name=foo,cn=users,cn=ipa.example.com,cn=sysdb name: foo nameAlias: foobar
The catch I ran into is that the default FQDN format is the same as e-mail format..
I can't think of a way that would not require changes on the server side, sorry.
There is a way that would require changes in SSSD :-)
Simo.
Sure, but I assumed that changing an entry on the server is an easier way for the user than waiting on unreleased code.
On 11.07.2013 11:46, Jakub Hrozek wrote:
On Wed, Jul 10, 2013 at 10:08:23PM -0400, Simo Sorce wrote:
On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote:
On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote:
Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
It's not possible atm, but you could open a RFE against sssd to implement it. We had request to 'login by email' before.
Right, feel free to open a RFE.
I can open an RFE. Maybe there are more people which would be interested in this kind of feature.
Thanks in advance M.Soysal
Hi Mehmet,
I can only think about one approach - as attributes in LDAP are multivalued, you could create additional "uid" attribute value that would contain the e-mail as well.
Here is how the SSSD behaves wrt name attributes: 1) if there is a single attribute value, just use it. 2) if the attribute is multivalued 2a) If the RDN value corresponds to one of the attribute values, use it as the primary name and the others as "aliases". 2b) If the RDN value doesn't match to any of name values, pick the first one. 3) Lookups match both name and alias
So if you had a multivalued "uid" attribute that would contain both the name (uid=joe) and the e-mail (uid=joe@example.com) the name would be present in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe" as the primary name, joe@example.com as the alias and the NSS responder would match on both "joe" and "joe@xample.com".
I think this would cause you to get entries with multivalued RDNs
No, it works correctly, I actually tested it.
The user entry on the server looked like this (simplified): dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=example,dc=com uid: foo uid: foobar
On the client, both "getent passwd foo" and "getent passwd foobar" worked. The entry in cache looked like this: dn: name=foo,cn=users,cn=ipa.example.com,cn=sysdb name: foo nameAlias: foobar
The catch I ran into is that the default FQDN format is the same as e-mail format..
I can't think of a way that would not require changes on the server side, sorry.
There is a way that would require changes in SSSD :-)
With the mentioned option "lookup_username_attr" this feature could be solved client side, and does not need to do changes on the serve. Changing this on server side, would sometimes also cause changes in the whole infrastructure for User Management.
Simo.
Sure, but I assumed that changing an entry on the server is an easier way for the user than waiting on unreleased code. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Mehmet Soysal -
Simo Sorce