Hi,
I'm using sssd with LDAP backend / domain. I wonder if there is a way to influence the attributes which are queried by sssd? Like not just the mapping but which attributes are ok to be queried and which attributes should not? I have some cloud servers which are accessing our internal directory via slapd (proxy).
I have two questions re this:
1. I use "services: nss,pam", so why is sssd querying sudoers information via the ldap domain like:
ldap filter used by sssd: "(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
2. I as well would like to modify the attributes which are queried by sssd. I would like sssd NOT to query "userPassword" for example. A lot of other attributes which are queried are not relevant in my environment as well e.g. the "krb*" attributes.
ldap attributes queried by sssd: objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Is it possible to influence this behavior somehow, I tried user_attributes in the domain section as well as in the nss section without success, e.g. "user_attributes = -userPassword".
any help or clarifying words are appreciated, have a great day M
On (26/03/19 14:21), Martin Hansen wrote:
Hi,
I'm using sssd with LDAP backend / domain. I wonder if there is a way to influence the attributes which are queried by sssd? Like not just the mapping but which attributes are ok to be queried and which attributes should not? I have some cloud servers which are accessing our internal directory via slapd (proxy).
I have two questions re this:
- I use "services: nss,pam", so why is sssd querying sudoers information via the ldap domain like:
ldap filter used by sssd: "(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
Previously, there was some heuristic when sudo provider was enable
man sssd.conf says: sudo_provider (string) The SUDO provider used for the domain. Supported SUDO providers are:
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more information on configuring LDAP.
“ipa” the same as “ldap” but with IPA default settings.
“ad” the same as “ldap” but with AD default settings.
“none” disables SUDO explicitly.
Default: The value of “id_provider” is used if it is set.
The detailed instructions for configuration of sudo_provider are in the manual page sssd-sudo(5). There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5).
NOTE: Sudo rules are periodically downloaded in the background unless the sudo provider is explicitly disabled. Set sudo_provider = None to disable all sudo-related activity in SSSD if you do not want to use sudo with SSSD at all.
Just disable sudo provider and such queries will be gone.
- I as well would like to modify the attributes which are queried by sssd. I would like sssd NOT to query "userPassword" for example. A lot of other attributes which are queried are not relevant in my environment as well e.g. the "krb*" attributes.
ldap attributes queried by sssd: objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Is it possible to influence this behavior somehow, I tried user_attributes in the domain section as well as in the nss section without success, e.g. "user_attributes = -userPassword".
any help or clarifying words are appreciated, have a great day
krb* realted options should be checked just for `auth_provider = krb5`
You did not share your sssd.conf but you might override some attributes in sssd.conf (check man page sssd-ldap)
LS
Not sure if it helps with the attribute query use case but perhaps incorporating attribute=value directives in the base, or user search base directives:
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?someAttribute=*
-- lawrence
On Tue, Mar 26, 2019 at 11:45 AM Lukas Slebodnik lslebodn@redhat.com wrote:
On (26/03/19 14:21), Martin Hansen wrote:
Hi,
I'm using sssd with LDAP backend / domain. I wonder if there is a way to
influence the attributes which are queried by sssd? Like not just the mapping but which attributes are ok to be queried and which attributes should not? I have some cloud servers which are accessing our internal directory via slapd (proxy).
I have two questions re this:
- I use "services: nss,pam", so why is sssd querying sudoers information
via the ldap domain like:
ldap filter used by sssd: "(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
Previously, there was some heuristic when sudo provider was enable
man sssd.conf says: sudo_provider (string) The SUDO provider used for the domain. Supported SUDO providers are:
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more information on configuring LDAP. “ipa” the same as “ldap” but with IPA default settings. “ad” the same as “ldap” but with AD default settings. “none” disables SUDO explicitly. Default: The value of “id_provider” is used if it is set. The detailed instructions for configuration of sudo_provider
are in the manual page sssd-sudo(5). There are many configuration options that can be used to adjust the behavior. Please refer to "ldap_sudo_*" in sssd-ldap(5).
NOTE: Sudo rules are periodically downloaded in the background unless the sudo provider is explicitly disabled. Set
sudo_provider = None to disable all sudo-related activity in SSSD if you do not want to use sudo with SSSD at all.
Just disable sudo provider and such queries will be gone.
- I as well would like to modify the attributes which are queried by
sssd. I would like sssd NOT to query "userPassword" for example. A lot of other attributes which are queried are not relevant in my environment as well e.g. the "krb*" attributes.
ldap attributes queried by sssd: objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
loginShell krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Is it possible to influence this behavior somehow, I tried
user_attributes in the domain section as well as in the nss section without success, e.g. "user_attributes = -userPassword".
any help or clarifying words are appreciated, have a great day
krb* realted options should be checked just for `auth_provider = krb5`
You did not share your sssd.conf but you might override some attributes in sssd.conf (check man page sssd-ldap)
LS _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Hi,
thank you both very much!
re 1. I did set "sudo_provider = none" which works indeed, so I got rid of some LDAP queries, thanks heaps for the hint!!
2. I as well tried the idea with the ldap_user_search_base to get rid of the queried attribute userPassword, but that just modifies the LDAP search filter, so doesn't help.
Is it that a standard set of attributes is queried by sssd which cannot be changed/modified? (Besides the fact that some attribute names could be "rewritten/mapped"). I couldn't find a way to exclude some of the queried attributes, what am I missing?
Relevant lines from /etc/nsswitch.conf:
passwd: files sss group: files sss
my present sssd.conf:
[pam] pam_verbosity = 3
[nss] filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_nowait_percentage = 75
[domain/files] debug_level = 5 id_provider = files
[domain/LDAP] debug_level = 5 id_provider = ldap auth_provider = ldap access_provider = ldap chpass_provider = none sudo_provider = none selinux_provider = none subdomains_provider = none session_provider = none autofs_provider = none hostid_provider = none
entry_cache_timeout = 5400 cache_credentials = false
ldap_uri = ldaps://xx.xx.xx.xx:636/ ldap_tls_cacert = /etc/ca_certs.crt ldap_tls_reqcert = hard ldap_schema = rfc2307bis ldap_default_bind_dn = cn=xxxx,ou=Users,.... ldap_default_authtok = *****
ldap_search_base = ou=Users,.... ldap_user_member_of = GroupMembership
ldap_group_search_base = ou=Groups,.... ldap_group_object_class = posixGroup ldap_group_name = cn ldap_group_number = gidNumber ldap_group_member = member
ldap_access_filter = (|(memberOf=XXX,ou=XX,ou=XXX...))
sssd-users@lists.fedorahosted.org