Not sure if it helps with the attribute query use case but perhaps incorporating attribute=value directives in the base, or user search base directives:
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?someAttribute=* -- lawrence On Tue, Mar 26, 2019 at 11:45 AM Lukas Slebodnik <[email protected]> wrote: > On (26/03/19 14:21), Martin Hansen wrote: > >Hi, > > > >I'm using sssd with LDAP backend / domain. I wonder if there is a way to > influence the attributes which are queried by sssd? Like not just the > mapping but which attributes are ok to be queried and which attributes > should not? I have some cloud servers which are accessing our internal > directory via slapd (proxy). > > > >I have two questions re this: > > > >1. I use "services: nss,pam", so why is sssd querying sudoers information > via the ldap domain like: > > > >ldap filter used by sssd: > >"(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))" > > > > > Previously, there was some heuristic when sudo provider was enable > > man sssd.conf says: > sudo_provider (string) > The SUDO provider used for the domain. Supported SUDO providers > are: > > “ldap” for rules stored in LDAP. See sssd-ldap(5) for more > information on configuring LDAP. > > “ipa” the same as “ldap” but with IPA default settings. > > “ad” the same as “ldap” but with AD default settings. > > “none” disables SUDO explicitly. > > Default: The value of “id_provider” is used if it is set. > > The detailed instructions for configuration of sudo_provider > are in > the manual page sssd-sudo(5). There are many configuration > options > that can be used to adjust the behavior. Please refer to > "ldap_sudo_*" in sssd-ldap(5). > > NOTE: Sudo rules are periodically downloaded in the background > unless the sudo provider is explicitly disabled. Set > sudo_provider > = None to disable all sudo-related activity in SSSD if you do > not > want to use sudo with SSSD at all. > > Just disable sudo provider and such queries will be gone. > > >2. I as well would like to modify the attributes which are queried by > sssd. I would like sssd NOT to query "userPassword" for example. A lot of > other attributes which are queried are not relevant in my environment as > well e.g. the "krb*" attributes. > > > >ldap attributes queried by sssd: > >objectClass uid userPassword uidNumber gidNumber gecos homeDirectory > loginShell krbPrincipalName cn GroupMembership modifyTimestamp > modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning > shadowInactive shadowExpire shadowFlag krbLastPwdChange > krbPasswordExpiration pwdAttribute authorizedService accountExpires > userAccountControl nsAccountLock host rhost loginDisabled > loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary > mail > > > >Is it possible to influence this behavior somehow, I tried > user_attributes in the domain section as well as in the nss section without > success, e.g. "user_attributes = -userPassword". > > > >any help or clarifying words are appreciated, have a great day > > krb* realted options should be checked just for `auth_provider = krb5` > > You did not share your sssd.conf but you might override some attributes > in sssd.conf (check man page sssd-ldap) > > LS > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Lawrence Kearney e: [email protected] t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
