--On Tuesday, November 1, 2022 7:16 PM +0000 [email protected] wrote:
Hi,
I am attempting to have SSSD do logins to my OpenLDAP 2.6.3 installation,
however, I get "permission denied" when trying to log in because SSSD is
asking for a password policy, which the server does not appear to have by
default. Notably, we don't really care what "policy" the server will
claim to have, because password authentication is delegated via SASL to
another server which ensures strong passwords. So I just need something
that will "get past" whatever checks SSSD is doing. What LDIF config can
I add to my configuration to allow SSSD to let users log in properly?
You could simply load the ppolicy overlay in you configuration so that the
control is available, regardless of whether you intend to use it.
However nothing in the log you provided shows there was any issue due to
SSSD requesting it.
The BIND operation was successful:
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=1 RESULT tag=97
err=0 qtime=0.000028 etime=0.000136 text=
The SEARCH operation was successful:
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SEARCH RESULT
tag=101 err=0 qtime=0.000016 etime=0.000326 nentries=0 text=
The biggest issue seems to be that it is configured to send invalid search
filters, causing ZERO results to be returned (nentries=0 above):
ov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH
base="ou=users,dc=clab,dc=lab" scope=2 deref=0
filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=*))(cn=de>
Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH
attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption
sudoRunAs sudoRunAsUser sudoRunAs>
Note that "sudoRole" objectClass, "sudoHost" attribute is not found. Note
that "cn=de>" is not a valid filter.
Regards,
Quanah
