So, I've got an....interesting problem...
At a new gig, who has been using a product Centrify to do unix auth for systems for a while now (years and years). Now tha thte team is more built up, we want to move away from this as a number of us have done sssd + ldap+kerberos with AD a few times.
However, centrify has done some odd things with user and group objects. The biggest issue of which is that 1). they are not normal person/user/group/posixgroup objects...2). they keep the most important attributes (uid, homedir, shell, etc). all stuffed info ONE attribute, "keywords".
So, a ldap query of a user object ends up being this:
<snip> objectClass: top objectClass: leaf objectClass: connectionPoint objectClass: serviceConnectionPoint cn: mn174 <snip> name: mn174 objectGUID:: Kq81FaqN50eFDZK9+57CZQ== keywords: shell:/bin/zsh keywords: gecos:Matthew Nicholson keywords: altGuid: keywords: uid:133859 keywords: unix_enabled:TRUE keywords: parentLink:S-1-5-21-1935655697-484061587-839522115-314656 keywords: home:/home/mn174 keywords: gid:2133859 </snip>
So, right now while i COULD get sssd to find the object, I can't get it to pull out the important attributes like uid etc.
Is there any way to tell sssd to do attribute sub-queries? basically "the uid is in keyword attribute, sub attribute uid" ?
I'm less that pleased this product did such things. Thank full it does have a NIS server so worst case I'm going to dump all the users/groups and import into AD proper (which DOES have the same account/group info, just not with all the attributes @ the moment) .
On Fri, Nov 20, 2015 at 03:41:12PM +0000, Matthew Nicholson wrote:
So, I've got an....interesting problem...
At a new gig, who has been using a product Centrify to do unix auth for systems for a while now (years and years). Now tha thte team is more built up, we want to move away from this as a number of us have done sssd + ldap+kerberos with AD a few times.
However, centrify has done some odd things with user and group objects. The biggest issue of which is that 1). they are not normal person/user/group/posixgroup objects...2). they keep the most important attributes (uid, homedir, shell, etc). all stuffed info ONE attribute, "keywords".
So, a ldap query of a user object ends up being this:
<snip> objectClass: top objectClass: leaf objectClass: connectionPoint objectClass: serviceConnectionPoint cn: mn174 <snip> name: mn174 objectGUID:: Kq81FaqN50eFDZK9+57CZQ== keywords: shell:/bin/zsh keywords: gecos:Matthew Nicholson keywords: altGuid: keywords: uid:133859 keywords: unix_enabled:TRUE keywords: parentLink:S-1-5-21-1935655697-484061587-839522115-314656 keywords: home:/home/mn174 keywords: gid:2133859 </snip>
So, right now while i COULD get sssd to find the object, I can't get it to pull out the important attributes like uid etc.
Is there any way to tell sssd to do attribute sub-queries? basically "the uid is in keyword attribute, sub attribute uid" ?
Since the uid is not directly addressable by LDAP queries I can think of no way to make it work with SSSD. Additionally even if it would work you would be required to continue running Centrify to get those values created for new users.
I would suggest is to use the override feature of SSSD that is available as local overrides and as centrally manager overrides with IPA. With this you can switch off Centrify after the overrides are created. New users and groups are then handled by SSSD directly and get their POSIX attributes depending on the SSSD configuration.
bye, Sumit
I'm less that pleased this product did such things. Thank full it does have a NIS server so worst case I'm going to dump all the users/groups and import into AD proper (which DOES have the same account/group info, just not with all the attributes @ the moment) .
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org