HI! We're running Debian systems with old sssd 1.2.1 shipped in Debian Squeeze. This works most of the times with getent passwd and getent group together with uncached sudo-ldap data. So the data is in place and can be correctly retrieved by sssd via LDAP.
Since this old sssd version has some problems and does not have SUDO support we're looking at upgrading to 1.9.4. My colleague prepared back-ported Debian packages of 1.9.4 I'm testing with. But I'm struggling that groups are not correctly retrieved - see my last attempt of sssd.conf attached. 1. After login id does not show the user's groups although the OpenLDAP logs show that group entries are searched and returned to sssd by OpenLDAP's slapd. 2. sudo -l -U username does not work although the OpenLDAP logs show that sudoRole entries are searched and returned to sssd by OpenLDAP's slapd. I wonder whether https://fedorahosted.org/sssd/ticket/1664 is relevant in my case but playing with several values for filter_users_in_groups and enumerate did not help. Ciao, Michael.
# sssd 1.9.4 configuration [sssd] config_file_version = 2 services = nss, pam, sudo reconnection_retries = 3 try_inotify = true domains = MY-LDAP, LOCAL debug_level = 10 [nss] filter_users = root filter_groups = root filter_users_in_groups = false entry_cache_timeout = 600 entry_cache_nowait_timeout = 300 [pam] offline_credentials_expiration = 0 offline_failed_login_attempts = 0 [sudo] sudo_timed = false [domain/LOCAL] id_provider = local auth_provider = local sudo_provider = local [domain/MY-LDAP] id_provider = ldap auth_provider = ldap sudo_provider = ldap min_id = 1000 enumerate = true cache_credentials = true account_cache_expiration = 0 ldap_group_search_base = ou=groups,o=Example ldap_sudo_search_base = ou=sudo,o=Example ldap_search_base = o=Example ldap_schema = rfc2307bis ldap_user_uuid = entryUUID ldap_group_uuid = entryUUID ldap_user_member_of = memberOf ldap_group_member = member ldap_group_nesting_level = 0 # LDAP URL for contacting load-balancer address ldap_uri = ldaps://ldap.example.com ldap_default_bind_dn = cn=server1,ou=hosts,o=Example ldap_default_authtok = *password* ldap_pwd_policy = none ldap_referrals = false ldap_sudo_use_host_filter = false #the tls_reqcert option has to be 'allow' if you want to use self signed certs ldap_tls_reqcert = allow ldap_tls_cacert = /etc/my_cacerts.crt
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
