Tory, Some of the directives specified seem unnecessary. For example since you're using a ldaps URI there's no need to implement TLS directives, and since the LDAP backend is AD many of the attribute mappings are likely unnecessary as well unless there's something we don't understand at play. Perhaps simplify the config first.
I would try the following and test. # ldap_id_use_start_tls = true # ldap_service_port = 636 ldap_tls_reqcert = allow ldap_force_upper_case_realm = true ldap_uri = ldaps://aadds.com ldap_search_base = dc=aadds,dc=com # ldap_user_object_class = posixAccount ldap_default_bind_dn = aadds\sssd ldap_default_authtok_type = password ldap_default_authtok = somearbitrarycrap ldap_tls_cacertdir = /etc/openldap/cacerts # Unix to AD attribute mapping ldap_schema = ad # ldap_schema = rfc2307 # ldap_user_object_class = person # ldap_group_object_class = group # ldap_user_home_directory = unixHomeDirectory # ldap_user_modify_timestamp = whenChanged # ldap_user_principal = userPrincipalName # ldap_user_name = sAMAccountName # ldap_user_gecos = displayName # ldap_user_uid_number = uidNumber # ldap_user_gid_number = gidNumber # ldap_user_shell = loginShell # ldap_group_name = uniqueMember -- lawrence On Thu, Oct 22, 2020, 2:54 AM Tory M Blue <[email protected]> wrote: > I've got SSSD working local via AD for unix account authentication, > however we are joining a new mother ship and we are not on their LAN and > thus don't have access to their AD network. > > They setup an LDAPS configuration and while I can query it via ldapsearch, > I can't get sssd to find anything. getent nor id return anything, but I > see the requests in the sssd_domain.log. I'm sure I'm tripping up trying to > refactor my AD config to work in the new LDAPs environment. > > I understand my ldapsearch is doing a full blown query list and obviously > if I give it a filter of my user for example, I get all my data (sssd > doesn't need all that data but i need something). > > I've spent a week banging my head and searching and trying different > examples and really failing :) > > So any assistance would be appreciated. I've tried the search, trial and > error, read and figured I've exhausted my understanding and exhausted my > attempts at copying others configurations and now I'm just running in > circles. > > Thanks in advance. > > So basic data: > > CentOS 7 > sssd 1.16.4 > LDAPS endpoint on a windows AD domain. > > sssd.conf > > [domain/LDAP] > > # Return debug level to 0 once working > debug_level = 9 > > default_domain_suffix = aads.com > enumerate = false > cache_credentials = false > id_provider = ldap > auth_provider = ldap > #access_provider = ldap > sudo_provider = ldap > chpass_provider = ldap > > # timing config > entry_cache_timeout = 10 > # entry_cache_nowait_timeout = 10 > # entry_cache_nowait_percentage = 10 > > #use_fully_qualified_names = true > ldap_id_use_start_tls = true > ldap_service_port = 636 > ldap_tls_reqcert = allow > ldap_force_upper_case_realm = true > ldap_uri = ldaps://aadds.com > ldap_search_base = dc=aadds,dc=com > ldap_user_object_class = posixAccount > ldap_default_bind_dn = aadds\sssd > ldap_default_authtok_type = password > ldap_default_authtok = somearbitrarycrap > ldap_tls_cacertdir = /etc/openldap/cacerts > > > # Unix to AD attribute mapping > ldap_schema = rfc2307bis > #ldap_schema = rfc2307 > ldap_user_object_class = person > ldap_group_object_class = group > ldap_user_home_directory = unixHomeDirectory > > ldap_user_modify_timestamp = whenChanged > ldap_user_principal = userPrincipalName > ldap_user_name = sAMAccountName > ldap_user_gecos = displayName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_shell = loginShell > ldap_group_name = uniqueMember > > Some data has been secured. > > #> ldapsearch -v -x -D AADDS\\sssd -b "dc=aadds,dc=com" -H ldaps:// > aadds.com -W "(cn=tory blue)" > ldap_initialize( ldaps://aadds.com:636/??base ) > Enter LDAP Password: > filter: (cn=tory blue) > requesting: All userApplication attributes > # extended LDIF > # > # LDAPv3 > # base <dc=aadds,dc=com> with scope subtree > # filter: (cn=tory blue) > # requesting: ALL > # > > # Tory Blue, AA Users, aadds.com > <bunch of data pertaining to my user deleted> > > #> id [email protected] > #> id tory.blue > #> > > sssd debug: > > Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] > (0x2000): Not a sysbus message, quit > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_get_account_info_handler] > (0x0200): Got request for [0x1][BE_REQ_USER][[email protected]] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP > Request [Account #8]: New request. Flags [0x0001]. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): > Number of active DP request: 1 > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sss_domain_get_state] > (0x1000): Domain LDAP is Active > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_connect_step] > (0x4000): reusing cached connection > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_next_base] > (0x0400): Searching for users with base [dc=aadds,dc=com] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): > Searching SECURED:636 > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName= > [email protected])([email protected] > ))(objectclass=person)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=aadds,dc=com]. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [objectClass] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [sAMAccountName] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [userPassword] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [uidNumber] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [gidNumber] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [displayName] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [unixHomeDirectory] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [loginShell] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [userPrincipalName] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [cn] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [memberOf] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [whenChanged] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [uSNChanged] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowLastChange] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowMin] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowMax] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowWarning] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowInactive] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowExpire] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [shadowFlag] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [krbLastPwdChange] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [krbPasswordExpiration] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [pwdAttribute] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [authorizedService] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [accountExpires] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [userAccountControl] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [nsAccountLock] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [host] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [rhost] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [loginDisabled] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [loginExpirationTime] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [loginAllowedTimeMap] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [sshPublicKey] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [userCertificate;binary] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x1000): Requesting attrs: [mail] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] > (0x2000): ldap_search_ext called, msgid = 18 > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New > operation 18 timeout 6 > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] > [sdap_get_generic_ext_add_references] (0x1000): Additional References: > ldaps://ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] > [sdap_get_generic_ext_add_references] (0x1000): Additional References: > ldaps://DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] > [sdap_get_generic_ext_add_references] (0x1000): Additional References: > ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: end of ldap_result list > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] > [sdap_get_generic_ext_add_references] (0x1000): Additional References: > ldaps://aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: end of ldap_result list > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] > (0x0400): Search result: Success(0), no errmsg set > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): > Operation 18 finished > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] > (0x4000): Request included referrals which were ignored. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] > (0x4000): Ref: ldaps:// > ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] > (0x4000): Ref: ldaps:// > DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] > (0x4000): Ref: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] > (0x4000): Ref: ldaps:// > aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] > (0x0400): Search for users, returned 0 results. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] > (0x2000): Retrieved total 0 users > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): > releasing operation connection > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x562321d71d00 > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed > event "ltdb_timeout": 0x562321d71dd0 > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer > event 0x562321d71d00 "ltdb_callback" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying > timer event 0x562321d71dd0 "ltdb_timeout" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying > timer event 0x562321d71d00 "ltdb_callback" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] > (0x0400): No such entry > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] > (0x2000): Search groups with filter: (&(objectCategory=group)(ghost= > [email protected])) > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed > event "ltdb_callback": 0x562321d711a0 > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed > event "ltdb_timeout": 0x562321c1c0e0 > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer > event 0x562321d711a0 "ltdb_callback" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying > timer event 0x562321c1c0e0 "ltdb_timeout" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying > timer event 0x562321d711a0 "ltdb_callback" > > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] > (0x2000): No such entry > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_delete_user] (0x0400): > Error: 2 (No such file or directory) > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP > Request [Account #8]: Request handler finished [0]: Success > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP > Request [Account #8]: Receiving request data. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_list_success] > (0x0400): DP Request [Account #8]: Finished. Success. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_std] (0x1000): > DP Request [Account #8]: Returning [Success]: 0,0,Success > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_table_value_destructor] > (0x0400): Removing [0:1:0x0001:1:U:LDAP:[email protected]] from > reply table > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): > DP Request [Account #8]: Request removed. > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): > Number of active DP request: 0 > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[(nil)], > ldap[0x562321bf7400] > (Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: end of ldap_result list > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
