--utc --date "$1" +%s)/86400))
Thank you
On 12/07/2015 01:20 AM, Lukas Slebodnik wrote:
> On (03/12/15 20:24), Mario Rossi wrote:
>> Hi,
>>
>> We have the need to add password (not account) expiration in ldap and I
>> see that sssd supports pwd policies. What'
dap/sdap.h .
Thank you,
Mario Rossi
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
What I've seen i rare cases is that sssd will print on screen when
authenticating with cached credentials something like "User
authenticating with cached credentials" . This would be an indication of
sssd going in offline mode because cannot contact the ldap server ( for
whatever other reasons
Jakub,
For my production servers I enabled local provider on the customer
facing servers. I have configured an emergency user that will not be
shown in /etc/passwd . In a hosting environment anyone can get a a
domain for a just a few $$ and this exposes passwd file. If I add the
account to
Wrong password. I have noted your
incompetence in the log. Don't think you're fooling anyone.,
!requiretty, passprompt=LDAP OnePassword for %u:
User hfa-joswel-tehnicom may run the following commands on this host:
(ALL) PASSWD: ALL
On 10/20/2016 07:29 AM, Mario Rossi wrote:
Hi Jakub,
Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that
after a while ( days ) sudo does not work any more for some of my users.
We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a
an error message ( "User abc is not allowed to run sudo on
and ssh across thousands of servers. One
could argue that this is a slapd config but it still does not resolve
the above.
Thank you
On 11/30/2016 10:07 AM, Jakub Hrozek wrote:
On Wed, Nov 30, 2016 at 09:41:51AM -0500, Mario Rossi wrote:
Hi,
sss_obfuscate is used locally on servers to replace
Hi,
sss_obfuscate is used locally on servers to replace clear text passwords
in sssd.conf. In our environment we have hundreds of servers and what I
usually do is manually generate the password on a test server. I would
like to automate ldap_default_authtok via a php interface or API. This
Kevin,
I understand your pain, I have the same issue. We have a local emargency
user in /etc/passwd and initially when we deployed servers everything
was good. And then people started to use emergency user on a daily basis
instead of their ldap accounts to bypass any ldap restrictions or
AM, Jakub Hrozek wrote:
On Wed, Nov 30, 2016 at 11:01:51AM -0500, Mario Rossi wrote:
Jakub,
Thank you for the information. We use both Puppet and Ansible to manage our
servers. Let me add more details:
1. An admin will build 10 new servers via cobbler and use puppet to deploy
settings
2
Thanks Michael,
I think this is the way to go - slapd config to allow certain groups to
write to the tree via dn.regex.
Thank you for the link.
Mario
On 11/30/2016 02:50 PM, Michael Ströder wrote:
Mario Rossi wrote:
Thank you for the information. We use both Puppet and Ansible to manage our
On 11/30/2016 02:47 PM, Michael Ströder wrote:
Mario Rossi wrote:
I understand your pain, I have the same issue. We have a local emargency user
in /etc/passwd and initially when we deployed servers everything was good.
And then people started to use emergency user on a daily basis
1. Make
I am also using custom schema and in my case I had to define the
following 2 options for sssd to be able to 'see' them:
ldap_group_member
ldap_user_member_of
I imagine you have specific attributes you need to search/filter which
are != than objectclass ?
Mario
On 12/20/2016 07:10 AM,
Hi,
I pulled the unofficial 1.15.1 el6 sssd and installed it today on a host
where RSA securid is used ( RSA + openldap) . I am trying to log in to
the server and I am getting ( please note pam_unix fails but that's fine
as we use ldap ) :
Mar 9 09:17:38 barni sshd[7597]: error: PAM:
Hi Thomas,
We run into a similar issue when we used ns(l)cd and kerberos, from time
to time we saw the message after logging in via ssh. Since we migrated
off that solution to sssd+openldap we were not able to reproduce it and
things are stable.
Thank you,
Mario
On 06/19/2017 04:50 PM,
In our environment, regular users authenticate via sssd/ldap, and
emergency user(s) via PAM if/when sssd + RSA securid fails. Still
running sssd 1.14.2 on el6.
Thanks
On 10/16/2017 11:04 AM, hedr...@rutgers.edu wrote:
On certain servers I want IPA authentication but the local user/group
If using own objectclass, I would think you will use custom attributes ?
ldap_group_member = *hMemberDN*
ldap_user_member_of = *description*
Thanks
On 11/02/2017 08:15 AM, Stefan Kania wrote:
Hello,
I would like to change the search-filter for sssd because I created my
own Group-Objectclass,
:13 PM, Asif Iqbal wrote:
On Fri, Oct 27, 2017 at 10:53 AM, Mario Rossi <mro...@hostopia.com
<mailto:mro...@hostopia.com>> wrote:
What OS are you using ? I am using Centos 6 with RSA ( fixed
password + PIN ) + sssd/ldap auth , so yes, that does give you
BOTH prompts,
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse your
users, the easiest would be to configure sd_pam.conf to use a different
prompt for RSA.
$ egrep ^AUTH /etc/sd_pam.conf
AUTH_CHALLENGE_USERNAME_STR=Enter USERNAME :
AUTH_CHALLENGE_RESERVE_REQUEST_STR=Please enter System
rement.
On Thu, Oct 26, 2017 at 8:54 PM, Mario Rossi <mro...@hostopia.com
<mailto:mro...@hostopia.com>> wrote:
My 2c, having two 'Password:' prompts ( RSA + sssd ) will confuse
your users, the easiest would be to configure sd_pam.conf to use a
different prompt for RSA.
Hi,
Any idea what to look for on this issue ?
Thanks
On 07/24/2018 04:33 PM, Mario Rossi wrote:
Should I sanitize the logs and send them over ?
Thank you
On 07/23/2018 05:26 PM, Mario Rossi wrote:
Hi All!
I am running into an issue where groups cannot be resolved upon
login. All servers
Perhaps this is a caching issue? I do have several domains configured,
and each domain has development-wholesale name with different GID. Is
the domains cache configured/hased based on the group name ?
Thanks
On 07/23/2018 12:05 PM, Mario Rossi wrote:
I am seeing similar issues on CentOS 7
Hi All!
I am running into an issue where groups cannot be resolved upon login.
All servers on CentOS 6 work fine, so this is isolated to newer sssd
version on CentOS 7.
[user@snoopy ~]$ id
uid=11012(user) *gid=1001* *groups=1001*,10(wheel),1102
[user@snoopy ~]$ getent -s sss passwd user
I am seeing similar issues on CentOS 7, where groups, including primary
group, cannot be looked up. This is really bad when other services
depend on group lookups, for example sshd match group statements for
enabling tcpforwarding which otherwise is disable globally, iptables
group lookups (
Should I sanitize the logs and send them over ?
Thank you
On 07/23/2018 05:26 PM, Mario Rossi wrote:
Hi All!
I am running into an issue where groups cannot be resolved upon login.
All servers on CentOS 6 work fine, so this is isolated to newer sssd
version on CentOS 7.
[user@snoopy ~]$ id
You could expire the account, and not the password. Not the most elegant
way, but I could not find any other way to implement password expiry. I
did try it a while back on a much older version, so I can't tell if
latest code still supports it. All I needed to have in OpenLDAP is
shadowExpire
Hi sssd users!
I am trying to encrypt a password via sss_obfuscate , but the binary
refuses to work to conf.d/ folder configs
root@sd7[/etc/sssd]# sss_obfuscate -d 'LDAP' -f sssd.conf.se
Enter password:
Re-enter password:
No such domain LDAP
If I append the contents of conf.d/LDAP.conf to
27 matches
Mail list logo