I am running into an interesting problem with our LDAP server. It’s an old system that has been in place for a long time we cannot change the schema. Basically I can’t change the LDAP server configuration.
We do no make use of the uidNumber and gidNumber fields in our configuration. I am trying to set up a box for authentication only to the LDAP server. I have set up and configured SSSD and it can talk to the LDAP server. The problem is: (&(uidNumber=*)(!(uidNumber=0)) is included in my search filter (based on the LDAP server logs) and since that attribute is not used in our system, it causes SSSD to not return any entries. This is the log returned from the LDAP server: Nov 11 16:12:00 13.x.x.x dsprd70-acc: [11/Nov/2014:16:11:16 -0600] conn=413208 op=4 msgId=5 - RESULT err=0 tag=101 nentries=0 etime=0 notes=U Nov 11 16:12:00 13.x.x.x dsprd70-acc: [11/Nov/2014:16:11:16 -0600] conn=413208 op=4 msgId=5 - SRCH base="ou=people,dc=xxxx,dc=xxx,c=us" scope=2 filter="(&(uid=theuserid)(objectClass=inetOrgPerson)(&(uidNumber=*)(!(uidNumber=0))))" attrs="objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbprincipalname cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krblastpwdchange krbpasswordexpiration pwdAttribute authorizedservice accountexpires useraccountcontrol nsAccountLock host logindisabled loginexpirationtime loginallowedtimemap" As you can see, it appends the (&(uidNumber=*)(!(uidNumber=0)) to the search filter and it seems to do this no matter what I do. I can use ldapsearch and remove only that part of the filter and i get results. I need a way to tell SSSD to not try and filter the uidNumber attribute for me. Basically I need that to not be in the filter sent to my ldap server. Ideas sssd.conf : [domain/LDAP] enumerate = False cache_credentials = False id_provider = ldap auth_provider = ldap ldap_uri = ldap://lldapserver:port ldap_id_use_start_tls = True ldap_tls_reqcert = allow ldap_tls_cacertdir = /etc/openldap/cacerts ldap_search_base = ou=People,dc=xxxxx,dc=xxxx,c=us ldap_default_bind_dn = uid=xxxxx,ou=xxxx,dc=xxxxx,dc=xxxx,c=us ldap_schema = rfc2307 ldap_default_authtok_type = password ldap_default_authtok = xxxxxxxx ldap_user_object_class = inetOrgPerson ldap_search_timeout = 60 ldap_network_timeout = 60 debug_level = 4 min_id = 0 [sssd] services = nss, pam config_file_version = 2 domains = LDAP [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
