sssd 1.6.1 LDAP: Marking port 389 as not working
by Sascha Frey
Hi list,
I'm trying to get sssd 1.6.1 working on FreeBSD 9.0 RC2 for some time
now.
/var/log/sssd/sssd_LDAP.log shows that the connection to the LDAP server
fails:
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]]
[sdap_ldap_connect_callback_add] (7): New LDAP connection to
[ldap://rep1.LDAP.techfak.uni-bielefeld.de:389/??base] with fd [15].
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]] [sdap_sys_connect_done] (1):
Failed to set LDAP SASL nocanon option to true
(Sat Nov 26 18:54:52 2011) [sssd[be[LDAP]]] [fo_set_port_status] (4):
Marking port 389 of server 'rep1.LDAP.techfak.uni-bielefeld.de' as 'not
working'
'ldapsearch -x -ZZ' with TLS_REQCERT=demand does work.
I tried with 'ldap_tls_cacert' in sssd.conf (should not be
neccessary because of TLS_CACERT in /usr/local/etc/openldap/ldap.conf).
Doesn't seem to be TLS verfication issue, because 'ldap_tls_reqcert =
never' doesn't help either.
ldap://server.fqdn/ or ldaps://server.fqdn/ makes no difference.
The same sssd.conf works with sssd 1.5.1 under RHEL 6.1.
Any ideas?
Regards,
Sascha
12 years, 5 months
[PATCH] Allow using AD objectSid as uid source
by Marko Myllynen
Hi,
this simple patch allows using AD objectSid as uid source making it
possible to use SSSD against AD instances which do not have Identity
Management for Unix Role Service enabled. The mapping matches winbind's
idmap_rid(8) behaviour. If ldap_user_uid_number is not objectSid then
nothing changes.
https://fedorahosted.org/sssd/ticket/996
Cheers,
--
Marko Myllynen
12 years, 5 months
[PATCHES][PRELIMINARY] ldap_*_search_base doesn't fully limit the group / netgroup
by Pavel Březina
https://fedorahosted.org/sssd/ticket/960
I'm sending the fix for groups first because I want this to be ACKed
before I start working on netgroups.
Current behaviour is that if any of the search bases contain filter,
than dereference will be turned off and single step approach will be used.
Algorithm for determining the search base:
1. output_filter = ""
1. String compare of memberdn and basedn
(calculates with scope as well)
2. If compare is true and filter != "", append filter to
output_filter (|)
3. return true and output_filter if it is possible that memberdn
belongs to basedn
The output_filter is then appended (&) in the actual filter.
There is probably one bug, when you have several search bases when one
is a generalization of the other but with more restrictive filter.
For example (LDIF attached):
ldap_group_search_base =
cn=QA,ou=Groups,dc=brq,dc=redhat,dc=com?sub??
cn=DEV,ou=Groups,dc=brq,dc=redhat,dc=com?sub?
ldap_user_search_base =
cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com?sub?? (A)
ou=People,dc=brq,dc=redhat,dc=com?sub?(&(uid=u1)(uid=u5)) (B)
GroupA (direct or indirect) members in LDIF are:
u1, u3 (from B), u4 (from A)
Expected result might be u4 (it is currently the actual result).
However, B is a contradiction and the filter contains this
contradiction*) so the actual result should be empty membership. But the
result is:
getent group groupA
groupA:*:10002:u4
* calling ldap_search_ext with
[(&(|(&(uid=u1)(uid=u3)))(objectclass=posixAccount))][cn=u4,cn=NewHires,ou=People,dc=brq,dc=redhat,dc=com]
Does anyone know what am I missing?
Thank you,
Pavel.
[PATCH 1/3] Function that compares dn to base dn (thanks Jan)
[PATCH 2/3] Fixes some bugs in previous function and changes it's
behaviour to follow my needs
[PATCH 3/3] Fixes the group processing
12 years, 5 months
sssd nscd and oracle services
by Aziz Sasmaz
Hi,
We have two oracle cluster nodes running in a rac environment
(active/passive). Crs and oracle services are running and these two nodes
has SAN disks presented to them
We are using sssd perfectly on these two nodes. Nscd is also disabled on
primary active node and everything is perfect with sssd there. But If i
disable the nscd service on the failover node2, oracle services does not
work on the failover node.
Failover nodes can't call oracle services if nscd is stopped in an sssd
configured environment. Is there any resolution on this or any known
bugs? It might be oracle related i know but any help or clue you can give
will be greatly appreciated. I am using nscd and sssd at the same time for
now, but i am not comfortable :)
Thanks,
AS
12 years, 5 months
[PATCH] Add Winbind provider.
by Pavel Zuna
This patch adds the whole Winbind provider. We agreed with Summit, that it would
be better to submit as a single patch as splitting it wouldn't make review any
easier.
It has the ID and AUTH providers. ID can do user, groups, initgroups and
enumeration of them. AUTH can do authentication and password change operation.
To build the provider, you need to use the
--enable-experimental-winbind-provider configure flag. samba-winbind-devel
package is required.
SSSD configuration option for the Winbind provider can be found in
/etc/sssd/sssd.api.d/sssd-winbind.conf. The correspond pretty much to Winbind
options normally found in smb.conf.
Both NT and AD domains have to be joined first using samba net utility:
net ads join -S server -U user ...
A man page (man sssd-winbind) is coming soon.
Big thanks to Summit for helping me out with testing this a reviewing commit in
my private repo periodically. Thanks!
Pavel
12 years, 5 months
[PATCH] Better confinment of keyrings
by Simo Sorce
After a quick discussion with David Howells (maintainer of
keutils/keyrings) I created this patch for SSSD.
It should make the keyrings used to store user passwords not as easy to
access even for root by confining them to the sssd process and it's
children.
I haven't really tested it yet, but I guess we want to discuss if this
approach is ok first anyway.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
12 years, 5 months
