On Fri, Jan 08, 2021 at 02:15:14PM -0500, Lawrence Kearney wrote: > SSSD team, > Hello! I'm a bit perplexed on how to validate and test data read by the > Dbus/IFP responder. I'd like to better understand the cache aspects and how > to validate that non-default whitelisted attributes are in fact exposed. > I'm using the AD provider against a 2012 R2 back end. > > [sssd] > config_file_version = 2 > services = nss,pam,pac,ifp > domains = dvc.darkvixen.com > > [nss] > reconnection_retries = 3 > filter_users = root,bin,daemon,games,gdm,lp,nobody,openslp,rpc,statd > filter_groups = root,bin,daemon,sys,disk,lp,audio,floppy,cdrom,video,games > > [pam] > > [pac] > > [ifp] > allowed_uids = root,wwwrun,sssd > user_attributes = +mail,+department,+telephoneNumber,-gecos > > [domain/dvc.darkvixen.com] > id_provider = ad > > enumerate = false > cache_credentials = true > case_sensitive = false > > override_homedir = /home/%u > override_shell = /bin/bash > override_gid = 1727401607 > > ldap_user_extra_attrs = mail,department,telephoneNumber > >
Hi, the tools below only work with default attributes. > Output from sssctl: > > # sssctl user-show msteele > > Name: msteele > Cache entry creation date: 01/08/21 10:14:35 > Cache entry last update time: 01/08/21 14:04:18 > Cache entry expiration time: 01/08/21 15:34:18 > Initgroups expiration time: 01/08/21 15:34:18 > Cached in InfoPipe: No ^^^^^^ 'Cached' here has a special meaning as described in https://sssd.io/docs/design_pages/dbus_cached_objects.html and is not related to SSSD's on-disk cache where user and group data is stored. > > # sssctl user-checks msteele > > user: msteele > action: acct > service: system-auth > > SSSD nss user lookup result: > - user name: msteele > - user id: 1727401116 > - group id: 1727401607 > - gecos: Ming Steele > - home directory: /home/msteele > - shell: /bin/bash > > SSSD InfoPipe user lookup result: > - name: msteele > - uidNumber: 1727401116 > - gidNumber: 1727400513 > - gecos: > - homeDirectory: /home/msteele > - loginShell: /bin/bash Here only the default attributes are shown. > > testing pam_acct_mgmt > > pam_acct_mgmt: Success > > PAM Environment: > - no env - > > Should the attributes in fact be cached and displayed? To check for additional attributes you can e.g. use: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr string:"msteele" array:string:mail,department,telephoneNumber HTH bye, Sumit > > Packages installed: > > # rpm -qa | grep sss > > python-sssdconfig-1.16.5-10.el7_9.5.noarch > sssd-client-1.16.5-10.el7_9.5.armv7hl > libsss_autofs-1.16.5-10.el7_9.5.armv7hl > sssd-common-1.16.5-10.el7_9.5.armv7hl > libsss_simpleifp-1.16.5-10.el7_9.5.armv7hl > sssd-ad-1.16.5-10.el7_9.5.armv7hl > libsss_idmap-1.16.5-10.el7_9.5.armv7hl > libsss_certmap-1.16.5-10.el7_9.5.armv7hl > sssd-libwbclient-1.16.5-10.el7_9.5.armv7hl > libsss_sudo-1.16.5-10.el7_9.5.armv7hl > sssd-polkit-rules-1.16.5-10.el7_9.5.armv7hl > sssd-dbus-1.16.5-10.el7_9.5.armv7hl > sssd-common-pac-1.16.5-10.el7_9.5.armv7hl > sssd-tools-1.16.5-10.el7_9.5.armv7hl > sssd-ldap-1.16.5-10.el7_9.5.armv7hl > libsss_nss_idmap-1.16.5-10.el7_9.5.armv7hl > sssd-krb5-common-1.16.5-10.el7_9.5.armv7hl > python-sss-1.16.5-10.el7_9.5.armv7hl > sssd-krb5-1.16.5-10.el7_9.5.armv7hl > > > > -- lawrence > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
