Hello,
I am trying to use sssd in our environment where unfortunately we have a broken ldap implementation with no options to fix it.
We have an openldap implementation where our 'uid' field can contain many attributes, some containing a 'uid' and others containing 'uid@functional-unit'. Some users have in their ldap account a single 'uid@functional-unit' whereas others have 'uid' and potentially many 'uid@functional-unit'.
sssd does the right thing for most cases with multiple attributes; just providing the first returned attribute (which is 'uid'). However I am experiencing problems with users that have only a 'uid@functional-unit' entry.
I want to configure sssd so that both 'uid' and 'uid@functional-unit' are represented from sssd as 'uid'
Please see below for some examples of what i'm talking about and my current configuration.
[~]$ getent passwd user1 user1:*:90001:20010:user1:/home/user1:/bin/bash [~]$ getent passwd |grep user2 user2@functional-unit:*:85010:20010:user2:/home/user2@functional-unit:/bin/bash [~]$ Note: I can't do a 'getent passwd user2' or 'getent passwd user2@functional-unit' - neither options work.
I want to be able to 'getent passwd user2' and see no reference of the 'functional-unit'.
Current sssd config (i'm using sssd-1.9.2-129.el6.x86_64 on RHEL6);
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss domains = default
[nss] filter_groups = root filter_users = root reconnection_retries = 3 override_homedir = /home/%u allowed_shells = /bin/bash shell_fallback = /bin/bash
[pam] reconnection_retries = 3
[domain/default] re_expression = (((?P<domain>[^\]+)\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\]+)$)) debug_level = 2 enumerate = true cache_credentials = true use_fully_qualified_names = false id_provider = ldap access_provider = ldap auth_provider = krb5 chpass_provider = none entry_cache_timeout = 5400 entry_cache_user_timeout = 1800 entry_cache_group_timeout = 5400 min_id = 1000
ldap_uri = ldap://ldap.example.com ldap_search_base = c=com?sub?(&(objectClass=posixAccount)(|(memberOf=group-1)(memberOf=group-2)))
krb5_realm = EXAMPLE.COM krb5_server = example.com krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 krb5_ccachedir = /tmp
I have been trying to address this issue with various permutations of re_expression but seem to be failing miserably. If anyone has any suggestions it would be most appreciated!
On Fri, Nov 29, 2013 at 03:17:44PM +0100, Ben Morrice wrote:
Hello,
I am trying to use sssd in our environment where unfortunately we have a broken ldap implementation with no options to fix it.
We have an openldap implementation where our 'uid' field can contain many attributes, some containing a 'uid' and others containing 'uid@functional-unit'. Some users have in their ldap account a single 'uid@functional-unit' whereas others have 'uid' and potentially many 'uid@functional-unit'.
sssd does the right thing for most cases with multiple attributes; just providing the first returned attribute (which is 'uid'). However I am experiencing problems with users that have only a 'uid@functional-unit' entry.
I want to configure sssd so that both 'uid' and 'uid@functional-unit' are represented from sssd as 'uid'
I'm not sure there is a way to have both format represented as uid, sorry.
Please see below for some examples of what i'm talking about and my current configuration.
[~]$ getent passwd user1 user1:*:90001:20010:user1:/home/user1:/bin/bash [~]$ getent passwd |grep user2 user2@functional-unit:*:85010:20010:user2:/home/user2@functional-unit:/bin/bash [~]$ Note: I can't do a 'getent passwd user2' or 'getent passwd user2@functional-unit' - neither options work.
You'd have to query the name as present in LDAP, that us user@functional-unit. The reason it doesn't work out-of-the box is that the SSSD uses username@domain to qualify entries in one particular domain. You can change that setting with: re_expression = (?P<name>.+)
in the [sssd] or [domain] section.
I would advise to fix your server..
sssd-users@lists.fedorahosted.org