Hi,
thank you both very much!
re 1. I did set "sudo_provider = none" which works indeed, so I got rid of some
LDAP queries, thanks heaps for the hint!!
2. I as well tried the idea with the ldap_user_search_base to get rid of the
queried attribute userPassword, but that just modifies the LDAP search filter,
so doesn't help.
Is it that a standard set of attributes is queried by sssd which cannot be
changed/modified?
(Besides the fact that some attribute names could be "rewritten/mapped").
I couldn't find a way to exclude some of the queried attributes, what am I
missing?
Relevant lines from /etc/nsswitch.conf:
passwd: files sss
group: files sss
my present sssd.conf:
[pam]
pam_verbosity = 3
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_nowait_percentage = 75
[domain/files]
debug_level = 5
id_provider = files
[domain/LDAP]
debug_level = 5
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = none
sudo_provider = none
selinux_provider = none
subdomains_provider = none
session_provider = none
autofs_provider = none
hostid_provider = none
entry_cache_timeout = 5400
cache_credentials = false
ldap_uri = ldaps://xx.xx.xx.xx:636/
ldap_tls_cacert = /etc/ca_certs.crt
ldap_tls_reqcert = hard
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=xxxx,ou=Users,....
ldap_default_authtok = *****
ldap_search_base = ou=Users,....
ldap_user_member_of = GroupMembership
ldap_group_search_base = ou=Groups,....
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_group_number = gidNumber
ldap_group_member = member
ldap_access_filter = (|(memberOf=XXX,ou=XX,ou=XXX...))
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
