Thank you for the explanation. I understand. > 2024/04/29 22:45、Sumit Bose <[email protected]>のメール: > > Am Mon, Apr 29, 2024 at 09:12:08PM +0900 schrieb [email protected] > <mailto:[email protected]>: >> Hi, >> >> Thank you for your quick response. Yes, that was the reason. In this regard, >> let me allow to add the following question. >> >> Is there any way to remove objectClass from the filter, such as to be >> (uid=hogehoge) but not (&(uid=hogehoge)(objectclass=inetOrgPerson)) as in >> the failure case? >> >> Even though I tried to remove the objectclass filter in sssd.conf, I >> couldn’t. >> Removing “ldap_user_object_class" statement in [domain/local] automatically >> gives the following: >> (&(uid=hogehoge)(objectclass=posixAccount)) >> (as mentioned before, posixAccount is not used in the LDAP database.) >> Or, is the declaration of objectclass mandatory in the filter? >> I would greatly appreciate any assistance. > > Hi, > > SSSD will always use an objectclass in the filter to make sure that > only the expected type of objects are returned. > > HTH > > bye, > Sumit > >> >>> 2024/04/29 19:55、Sumit Bose <[email protected]>のメール: >>> >>> Hi, >>> >>> my first guess would be that the `uid=search_id` object does not have >>> the permissions to read the `objectClass` attribute from other objects. >>> Please check the ACIs on the LDAP server side for this user. >>> >>> HTH >>> >>> bye, >>> Sumit >>> >>>> This initial search binding works fine and returns the user DN to log in, >>>> for example, >>>> uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com >>>> >>>> However, as shown below, the user (hogehoge) cannot be authenticated. >>>> /var/log/sssd/sssd_local.log >>>> (2024-04-28 21:57:11): [be[local]] [sdap_call_op_callback] (0x20000): >>>> [RID#2] Handling LDAP operation [3][server: [xxx.xx.xx.x:636] filter: >>>> [(&(uid=hogehoge)(objectclass=inetOrgPerson))] base: >>>> [ou=Users,dc=example,dc=com]] took [2.910] milliseconds. >>>> (2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x1000): [RID#2] >>>> OriginalDN: [uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com]. >>>> (2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x0020): [RID#2] >>>> Unknown entry type, no objectClasses found! >>>> >>>> /var/log/secure >>>> Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth): >>>> authentication failure; logname=dummy uid=0 euid=0 tty= ruser= rhost= >>>> user=hogehoge >>>> Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth): >>>> received for user hogehoge: 4 (System error) >> -- >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
