>>> Quanah Gibson-Mount <[email protected]> schrieb am 01.11.2022 um 20:54 in Nachricht <AA5643E98105A35D696CE959@[192.168.1.15]>:
> > ‑‑On Tuesday, November 1, 2022 7:16 PM +0000 [email protected] wrote: > >> Hi, >> >> I am attempting to have SSSD do logins to my OpenLDAP 2.6.3 installation, >> however, I get "permission denied" when trying to log in because SSSD is >> asking for a password policy, which the server does not appear to have by >> default. Notably, we don't really care what "policy" the server will >> claim to have, because password authentication is delegated via SASL to >> another server which ensures strong passwords. So I just need something >> that will "get past" whatever checks SSSD is doing. What LDIF config can >> I add to my configuration to allow SSSD to let users log in properly? > > You could simply load the ppolicy overlay in you configuration so that the > control is available, regardless of whether you intend to use it. > > However nothing in the log you provided shows there was any issue due to > SSSD requesting it. > > The BIND operation was successful: > > Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=1 RESULT tag=97 > err=0 qtime=0.000028 etime=0.000136 text= > > > The SEARCH operation was successful: > > Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SEARCH RESULT > tag=101 err=0 qtime=0.000016 etime=0.000326 nentries=0 text= > > > The biggest issue seems to be that it is configured to send invalid search > filters, causing ZERO results to be returned (nentries=0 above): > > ov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH > base="ou=users,dc=clab,dc=lab" scope=2 deref=0 > filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=*))(cn=de> > Nov 01 18:16:58 ldapserver00 slapd[105481]: conn=2239 op=2 SRCH > attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption > sudoRunAs sudoRunAsUser sudoRunAs> > > > Note that "sudoRole" objectClass, "sudoHost" attribute is not found. Note > that "cn=de>" is not a valid filter. For some strange reason sssd starts do query the sudo schema, even if it was not configured on the server, typically flooding the logs with invalid requests. I added the schema here, just to silence the errors... > > Regards, > Quanah
