Hi, I'm using sssd with LDAP backend / domain. I wonder if there is a way to influence the attributes which are queried by sssd? Like not just the mapping but which attributes are ok to be queried and which attributes should not? I have some cloud servers which are accessing our internal directory via slapd (proxy).
I have two questions re this: 1. I use "services: nss,pam", so why is sssd querying sudoers information via the ldap domain like: ldap filter used by sssd: "(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))" 2. I as well would like to modify the attributes which are queried by sssd. I would like sssd NOT to query "userPassword" for example. A lot of other attributes which are queried are not relevant in my environment as well e.g. the "krb*" attributes. ldap attributes queried by sssd: objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail Is it possible to influence this behavior somehow, I tried user_attributes in the domain section as well as in the nss section without success, e.g. "user_attributes = -userPassword". any help or clarifying words are appreciated, have a great day M _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
