Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate.
Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it?
We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent):
(Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=myuser@example.com)(mail=myuser@example.com)(krbPrincipalName=myuser\@example.com@MYDOMAIN.EXAMPLE.COM))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com].
This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc).
[domain/mydomain] id_provider = ldap auth_provider = krb5 access_provider = ldap
ldap_use_tokengroups = False ldap_group_nesting_level = 0 cache_credentials = True case_sensitive = true account_cache_expiration = 5 enumerate = False
# for performance ldap_referrals = False ldap_id_mapping = False ignore_group_members = True
# provide the schema for services for unix ldap_schema = rfc2307bis
ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd/certs ldap_search_timeout = 6 ldap_disable_range_retrieval = False ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = <removed> ldap_default_authtok = <removed> ldap_search_base = <removed>?subtree?
ldap_user_search_base = <removed> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName
ldap_group_search_base = ou=Groups,... ldap_group_object_class = group
ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=... ldap_access_order = filter ldap_force_upper_case_realm = True
# required krb5_canonicalize = False krb5_store_password_if_offline = True
krb5_server = <removed> krb5_backup_server = <removed> krb5_realm = MYDOMAIN.EXAMPLE.COM krb5_renewable_lifetime = 7d krb5_auth_timeout = 15 krb5_lifetime = 24h
Still digging myself but haven't turned over the relevant rock.
=G=
It seems this is by design...reading https://tools.ietf.org/html/rfc6806.html#section-5? and one of my coworkers found the release notes for 1.14.1, this is expected behavior but I don't see a way to disable short of pointing ldap_user_email to a bogus attribute. I'm guessing this was ported to the 1.14.0 release that went out with 7.3.
=G=
________________________________ From: Galen Johnson Sent: Tuesday, January 17, 2017 5:06 PM To: sssd-users@lists.fedorahosted.org Subject: email logins
Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate.
Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it?
We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent):
(Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=myuser@example.com)(mail=myuser@example.com)(krbPrincipalName=myuser\@example.com@MYDOMAIN.EXAMPLE.COM))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com].
This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc).
[domain/mydomain] id_provider = ldap auth_provider = krb5 access_provider = ldap
ldap_use_tokengroups = False ldap_group_nesting_level = 0 cache_credentials = True case_sensitive = true account_cache_expiration = 5 enumerate = False
# for performance ldap_referrals = False ldap_id_mapping = False ignore_group_members = True
# provide the schema for services for unix ldap_schema = rfc2307bis
ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd/certs ldap_search_timeout = 6 ldap_disable_range_retrieval = False ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = <removed> ldap_default_authtok = <removed> ldap_search_base = <removed>?subtree?
ldap_user_search_base = <removed> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName
ldap_group_search_base = ou=Groups,... ldap_group_object_class = group
ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=... ldap_access_order = filter ldap_force_upper_case_realm = True
# required krb5_canonicalize = False krb5_store_password_if_offline = True
krb5_server = <removed> krb5_backup_server = <removed> krb5_realm = MYDOMAIN.EXAMPLE.COM krb5_renewable_lifetime = 7d krb5_auth_timeout = 15 krb5_lifetime = 24h
Still digging myself but haven't turned over the relevant rock.
=G=
On Tue, Jan 17, 2017 at 10:22:21PM +0000, Galen Johnson wrote:
It seems this is by design...reading https://tools.ietf.org/html/rfc6806.html#section-5? and one of my coworkers found the release notes for 1.14.1, this is expected behavior but I don't see a way to disable short of pointing ldap_user_email to a bogus attribute. I'm guessing this was ported to the 1.14.0 release that went out with 7.3.
Hi,
what kind of issues are you seeing? Do the applications use the short name of a fully qualified name (i.e. it contains a '@' character)?
As you said you can disable the lookup by email if you set ldap_user_email to a non-existing attribute name.
bye, Sumit
=G=
From: Galen Johnson Sent: Tuesday, January 17, 2017 5:06 PM To: sssd-users@lists.fedorahosted.org Subject: email logins
Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate.
Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it?
We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent):
(Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=myuser@example.com)(mail=myuser@example.com)(krbPrincipalName=myuser\@example.com@MYDOMAIN.EXAMPLE.COM))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com].
This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc).
[domain/mydomain] id_provider = ldap auth_provider = krb5 access_provider = ldap
ldap_use_tokengroups = False ldap_group_nesting_level = 0 cache_credentials = True case_sensitive = true account_cache_expiration = 5 enumerate = False
# for performance ldap_referrals = False ldap_id_mapping = False ignore_group_members = True
# provide the schema for services for unix ldap_schema = rfc2307bis
ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd/certs ldap_search_timeout = 6 ldap_disable_range_retrieval = False ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = <removed> ldap_default_authtok = <removed> ldap_search_base = <removed>?subtree?
ldap_user_search_base = <removed> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName
ldap_group_search_base = ou=Groups,... ldap_group_object_class = group
ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=... ldap_access_order = filter ldap_force_upper_case_realm = True
# required krb5_canonicalize = False krb5_store_password_if_offline = True
krb5_server = <removed> krb5_backup_server = <removed> krb5_realm = MYDOMAIN.EXAMPLE.COM krb5_renewable_lifetime = 7d krb5_auth_timeout = 15 krb5_lifetime = 24h
Still digging myself but haven't turned over the relevant rock.
=G=
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
After getting a better understanding of this functionality, I don't believe the problem lies with sssd. It's more that the application doesn't necessarily understand that 'bob@example.com' and 'bob' are the same user. We also have the challenge that the application itself sees '@' and tries to be 'helpful' by preparsing the user information and assumes that it needs to talk to the domain after the '@' rather than just sent the id as entered and let the backend authentication provider take care of it. It's a fairly legacy application but we think we have a way to leverage this but it is going to require some thorough testing to make sure. Worst case, I take the out and disable the ability so logins fail when users use an email address. I'm hopeful I won't have to do that. Thanks for the work everyone has done to get here. My life got immensely less complicated with sssd (over LDAP+Kerberos+Samba).
=G=
________________________________________ From: Sumit Bose sbose@redhat.com Sent: Wednesday, January 18, 2017 5:10 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: email logins
On Tue, Jan 17, 2017 at 10:22:21PM +0000, Galen Johnson wrote:
It seems this is by design...reading https://tools.ietf.org/html/rfc6806.html#section-5? and one of my coworkers found the release notes for 1.14.1, this is expected behavior but I don't see a way to disable short of pointing ldap_user_email to a bogus attribute. I'm guessing this was ported to the 1.14.0 release that went out with 7.3.
Hi,
what kind of issues are you seeing? Do the applications use the short name of a fully qualified name (i.e. it contains a '@' character)?
As you said you can disable the lookup by email if you set ldap_user_email to a non-existing attribute name.
bye, Sumit
=G=
From: Galen Johnson Sent: Tuesday, January 17, 2017 5:06 PM To: sssd-users@lists.fedorahosted.org Subject: email logins
Hello,
Many moons ago, I had asked about the ability to allow users to log in with email addresses. It seems my wish was granted with a recent upgrade of sssd (when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the mouth but it is causing some weirdness with some of our applications that are set up to use the host systems to authenticate.
Anyone have any ideas on whether this is a bug (if so, I like it so don't change it :-) )? Or how to fix it so we can disable this "feature" until we can make use of it?
We turned the logs up to 11 and noticed this entry (names have been changed to protect the innocent):
(Tue Jan 17 21:43:11 2017) [sssd[be[mydomain]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(krbPrincipalName=myuser@example.com)(mail=myuser@example.com)(krbPrincipalName=myuser\@example.com@MYDOMAIN.EXAMPLE.COM))(objectclass=user)(&(uidNumber=*)(!(uidNumber=0))))][ou=users,ou=production,ou=Customers,dc=mydomain,dc=example,dc=com].
This may not be helpful but I'm curious if there was some new feature introduced to have sssd use the mail address if it "looks like a mail address". sssd was bumped to 1.14.0 based on "sssd --version". My configs haven't changed in a long time (2 years). Please be gentle when commenting on the setup as this was done while still figuring out how to use sssd with help from the community (docs, developers, etc).
[domain/mydomain] id_provider = ldap auth_provider = krb5 access_provider = ldap
ldap_use_tokengroups = False ldap_group_nesting_level = 0 cache_credentials = True case_sensitive = true account_cache_expiration = 5 enumerate = False
# for performance ldap_referrals = False ldap_id_mapping = False ignore_group_members = True
# provide the schema for services for unix ldap_schema = rfc2307bis
ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/sssd/certs ldap_search_timeout = 6 ldap_disable_range_retrieval = False ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = <removed> ldap_default_authtok = <removed> ldap_search_base = <removed>?subtree?
ldap_user_search_base = <removed> ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_name = sAMAccountName
ldap_group_search_base = ou=Groups,... ldap_group_object_class = group
ldap_access_filter = memberOf=cn=enabled,ou=Groups,ou=... ldap_access_order = filter ldap_force_upper_case_realm = True
# required krb5_canonicalize = False krb5_store_password_if_offline = True
krb5_server = <removed> krb5_backup_server = <removed> krb5_realm = MYDOMAIN.EXAMPLE.COM krb5_renewable_lifetime = 7d krb5_auth_timeout = 15 krb5_lifetime = 24h
Still digging myself but haven't turned over the relevant rock.
=G=
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org