SSSD ad provider no ldap_id_mapping and msSFU30PosixMemberOf
by squallu@gmail.com
hi,
i'm trying to configure sssd with ad provider to work with ldap_id_mapping = False, everything is working fine except additional group aside from the primary (msSFU30PosixMemberOf), is it even possible without switching to id_provider=ldap?
Adding ldap_user_member_of = msSFU30PosixMemberOf to /etc/sssd/sssd.conf changes nothing, switching to id_provider = ldap works and gives me back all the unix groups configured on AD.
Thank you.
7 years, 5 months
full_name_format and supplemental groups
by Orion Poplawski
Running IPA with an AD trust. Users are in AD. Trying to use
full_name_format = %1$s to strip the domain from user names. This appears to
break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion(a)ad.nwra.com
uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com)
groups=470202603(orion(a)ad.nwra.com),470200513(domain
users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless
access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall
users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas
admins(a)ad.nwra.com)
With:
# id orion(a)ad.nwra.com
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion
uid=470202603(orion) gid=470202603(orion)
groups=470202603(orion),470200512(domain admins),470207608(heimdall
users),470204714(wireless
access),470204715(nwra-users),470204701(boulder),470204703(pirep rd
users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on
to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s
and default_domain_suffix = ad.nwra.com):
# id orion(a)ad.nwra.com
id: orion(a)ad.nwra.com: no such user
# id orion
id: orion: no such user
>From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and
default_domain_suffix):
# id orion
uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member]
(0x0400): Error: 2 (No such file or directory)
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex]
(0x0020): Could not add member [orion] to group [name=domain
admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of
"cn=groups,cn=ad.nwra.com,cn=sysdb"
--
Orion Poplawski
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com
7 years, 5 months
sssd sudo issue
by Mario Rossi
Hi sssd-users list,
I am facing a strange issue on several CentOS servers. It seems that
after a while ( days ) sudo does not work any more for some of my users.
We keep rudo rules in OpenLDAP. If a user uses 'sudo su - ' , he gets a
an error message ( "User abc is not allowed to run sudo on ....")
however if he user runs 'id' followed by 'sudo su -' then in some of
the cases, it works fine, user can get root access. I even upgraded to
the unofficial repo hoping that the issue we see is similar/same to
https://fedorahosted.org/sssd/ticket/2970. But I think it's a different
issue.
Any ideas? Next I will be looking at dumping the local sssd cache files.
I can provide debug =9 log files offline if needed.
Thank you
root@server yum.repos.d # rpm -qa | egrep sssd
sssd-common-pac-1.13.4-4.el6.x86_64
sssd-ldap-1.13.4-4.el6.x86_64
sssd-tools-1.13.4-4.el6.x86_64
sssd-client-1.13.4-4.el6.x86_64
sssd-ad-1.13.4-4.el6.x86_64
python-sssdconfig-1.13.4-4.el6.noarch
sssd-common-1.13.4-4.el6.x86_64
sssd-ipa-1.13.4-4.el6.x86_64
sssd-proxy-1.13.4-4.el6.x86_64
sssd-krb5-common-1.13.4-4.el6.x86_64
sssd-krb5-1.13.4-4.el6.x86_64
sssd-1.13.4-4.el6.x86_64
root@server sssd # vim /etc/sssd/sssd.conf # set debug = 9
root@server sssd # sudo -U abc -l*
**User abc is not allowed to run sudo on **server**.*
root@server sssd # egrep sudo /etc/nsswitch.conf
sudoers: sss
root@server sssd # ip a s dev eth0 | egrep global
inet 216.X.Y.Z/26 brd 216.X.Y.Z scope global eth0
root@server sssd # id abc
uid=100001044(abc) gid=1009(...)
groups=1202(...),1168(...),1191(...),1102(...),1009(...),1101(...),1127(...),1167(...),1111(...),1178(...),1109(...),1199(...),1208(stage),1117(...),1198(...),1192(...),1206(...),1176(...),1404(...),1183(...),1103(...),1110(...),1205
root@abc sssd # sudo -U abc -l
Matching Defaults entries for abc on this host:
[...]
*User **abc**may run the following commands on this host:**
** (ALL) PASSWD: ALL*
# LDAP Sudo def
dn: cn=stage,ou=sudoers,o=Domain,dc=domain,dc=com
sudoOrder: 42
[...]
sudoUser: %stage
sudoRunAs: ALL
cn: stage
description: Allow Trusted Senior stuff become root
sudoCommand: ALL
sudoHost: 216.X.Y.Z
[...]
objectClass: top
objectClass: sudoRole
sudoOption: authenticate
# Group def
dn: cn=stage,ou=groups,o=Domain,dc=domain,dc=com
gidNumber: 1208
cn: stage
description: stage Group
objectClass: posixGroup
objectClass: top
memberUid: abc
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
Sanitized sssd.conf:
[sssd]
config_file_version = 2
sbus_timeout = 30
services = nss, pam, sudo, ssh
domains = LOCAL, DOMAIN1, DOMAIN2
[nss]
filter_users =
adm,apache,avahi,bin,daemon,dbus,ecryptfs,ftp,git,games,gopher,haldaemon,halt,hfallback,ldap,lp,mail,mailnull,named,news,nfsnobody,nobody,nscd,nslcd,ntp,operator,oprofile,ossec,postfix,puppet,puppet-dashboard,pulse,pulse-access,radiusd,root,rpc,rpcuser,rtkit,saslauth,sfallback,shutdown,slocate,smmsp,sshd,sync,tcpdump,tss,uucp,vcsa
filter_groups =
adm,apache,audio,bin,cdrom,cgred,daemon,dbus,dialout,dip,disk,ecryptfs,floppy,fuse,git,hfallback,kmem,ldap,lock,lp,mail,mailnull,man,mem,nfsnobody,nobody,nscd,ntp,ossec,oprofile,postdrop,postfix,puppet,puppet-dashboard,pulse,pulse-access,root,rpc,rpcuser,rtkit,saslauth,sfallback,slocate,smmsp,sshd,sys,tape,tcpdump,tss,tty,users,utempter,utmp,vcsa,video
override_shell = /bin/bash
[pam]
debug_level = 3
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
pam_verbosity = 1
pam_pwd_expiration_warning = 21
pam_account_expired_message = Account expired, please use selfservice
portal to change your password and extend account.
[sudo]
debug_level=9
[ssh]
# debug_level=9
[domain/LOCAL]
description = LOCAL Users domain
id_provider = local
enumerate = true
min_id = 500
max_id = 999
default_shell = /bin/bash
base_directory = /home
create_homedir = false
remove_homedir = true
homedir_umask = 077
skel_dir = /etc/skel
mail_dir = /var/spool/mail
######### SECTION: DOMAIN1
[domain/DOMAIN1]
min_id = 499
debug_level = 9
cache_credentials = True
entry_cache_timeout = 864000
auth_provider = ldap
id_provider = ldap
access_provider = ldap
#chpass_provider = ldap
sudo_provider = ldap
selinux_provider = none
autofs_provider = none
# LDAP Search
ldap_search_base = dc=domain,dc=com
ldap_group_search_base = ou=groups,o=Domain,dc=domain,dc=com
ldap_user_search_base =
ou=users,o=Domain,dc=domain,dc=com?subtree?(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)(.....)(.....))
# LDAP Custom Schema
ldap_group_member = hMemberDN
ldap_user_member_of = description
# this should really be rfc2307
ldap_schema = rfc2307bis
ldap_network_timeout = 3
ldap_id_use_start_tls = False
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_uri = ldaps://s1.sec.domain.com, ldaps://s2.sec.domain.com,
ldaps://s3.sec.domain.com
ldap_backup_uri = ldaps://66.X.Y.Z
ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = uid=MYDN
ldap_default_authtok = MYPASS
ldap_user_ssh_public_key = sshPublicKey
ldap_pwd_policy = none
ldap_account_expire_policy = shadow
ldap_user_shadow_expire = shadowExpire
# shadowExpire: days since Jan 1, 1970 that account is disabled: $ echo
$(($(date --utc --date "$1" +%s)/86400))
ldap_chpass_update_last_change = false
ldap_access_order = filter, expire
ldap_access_filter =
(&(objectClass=posixAccount)(uidNumber=*)(hAccountInitialSetup=1)(|(description=cn=stage,ou=groups,o=Domain,dc=domain,dc=com)))
# SUDO
ldap_sudo_search_base = ou=sudoers,o=Domain,dc=domain,dc=com
ldap_sudo_full_refresh_interval = 86400
ldap_sudo_smart_refresh_interval = 3600
#entry_cache_sudo_timeout = 5400
The same options for DOMAIN2 except filters and user/group base.
hMemberDN is defined in nis.schema, a relic of OpenLDAP 2.2, a
workaround applied before transitioning to 2.4.40.
# Modification to posixGroup
attributetype ( 1.3.6.1.1.1.1.28 NAME 'hMemberDN'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup'
DESC 'Abstraction of a group of accounts'
SUP top STRUCTURAL
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ hMemberDN $ description ) )
hMemberDN: uid=abc,ou=users,o=Domain,dc=domain,dc=com
7 years, 5 months
sssd + LDAP: NSS works, PAM: Can't contact LDAP server
by Sascha Frey
Hi list,
I have some trouble with sssd after upgrading from Debian Jessie
(stable) to Stretch (testing).
I'm using sssd with LDAP (OpenLDAP servers running Debian Jessie) for
NSS and PAM.
NSS works just fine. getent passwd|group does return all users and
groups stored in LDAP.
PAM doesn't work. I get this error in the log:
[sssd[be[LDAP]]] [fo_set_port_status] (0x0400): Marking port 389 of duplicate server 'ldap2.Domain.TLD' as 'working'
[sssd[be[LDAP]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=someuser,ou=user,dc=Sub,dc=Domain,dc=TLD
[sssd[be[LDAP]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
/var/log/auth.log:
sshd[13510]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.200.11 user=someuser
sshd[13510]: pam_sss(sshd:auth): received for user someuser: 4 (System error)
Old version: 1.11.7-3 (Debian)
New version: 1.14.1-1 (Debian)
I'm pretty sure that the connection to the LDAP server does
work for NSS. After stopping sssd, deleting /var/lib/sss/db/* and
starting sssd again it does fetch all users and groups from the
directory.
Any idea what's wrong?
Cheers,
Sascha
7 years, 5 months
SSSD Caching Question
by Douglas Duckworth
Hello,
I am in the process of deploying a new LDAP cluster. Y'all were very
helpful in getting SSSD configured properly. We were doing not using SSSD
at all before. That really freaks me out, given we have all of our NFS
mounts defined in LDAP, so consequently I have added autofs. Our LDAP
schema does not conform to any "standard" so I have attached my sanitized
sssd.conf and autofs.conf, as well as nsswitch.conf, in case anyone had
issues doing autofs and sssd with aliases.
Eg:
# autofs.maps, server, machines, blah.blah.blah.blah
dn: ou=autofs.maps,cn=server,ou=machines,dc=blah,dc=blah,dc=blah,dc=blah
ou: autofs.maps
objectClass: automountMap
objectClass: top
# scratch, autofs.maps, server, machines, blah.blah.blah.blah
dn: cn=scratch,cn=server,ou=machines,dc=blah,dc=blah,dc=blah,dc=blah
ou: autofs.maps
cn: scratch
objectClass: alias
objectClass: extensibleObject
aliasedObjectName: ou=scratch,ou=autofs.maps,dc=blah,dc=blah,dc=blah,dc=bla
h
# scratch, autofs.maps, davinci.med.cornell.edu
dn: ou=scratch,ou=autofs.maps,dc=dc=blah,dc=blah,dc=blah,dc=bla
h
objectClass: top
objectClass: organizationalUnit
ou: scratch
# 31337lab_scratch, scratch, autofs.maps, blah.blah.blah.blah
dn:
cn=fclab_scratch,ou=scratch,ou=autofs.maps,dc=blah,dc=blah,dc=blah,dc=bla
h
cn: 31337lab_scratch
objectClass: automount
automountInformation: exporting.nfs.server:/important/stuff/located/here
"ldap_deref = always" made this work. Anyway, hope someone finds that
useful.
So caching. Would such a long LDAP caching policy, shown in my sssd.conf,
have any downsides? I thought the longer the better though what if users
change their password? Does sssd poll LDAP server for changes in order to
make sure the cache doesn't fall behind state present in LDAP?
Best
Doug
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-5454
F: 212-746-8690
7 years, 6 months
Active Directory domain authorization on CentOS 7.2 servers with SSSD
by Aleksey Maksimov
Hello SSSD guru`s!
I want to set up Active Directory domain authorization in my CentOS 7.2 servers with SSSD.
For this I use SSSD as described here:
https://blog.it-kb.ru/2016/10/15/join-debian-gnu-linux-8-6-to-active-dire...
I have set up for several servers and everything works well.
But on the last one server SSSD does not work as they should.
I attached this server to the domain using the realm utility.
It looks nice.
[root@KOM-OVIRT1 ~]# realm list
ad.holding.com
type: kerberos
realm-name: AD.HOLDING.COM
domain-name: ad.holding.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U(a)ad.holding.com
login-policy: allow-permitted-logins
permitted-logins:
permitted-groups: KOM-SRV-Linux-Admins(a)ad.holding.com
However, getent does not return information about domain accounts:
[root@KOM-OVIRT1 ~]# getent passwd aleksey(a)ad.holding.com
[root@KOM-OVIRT1 ~]#
getent for local accounts work:
[root@KOM-OVIRT1 ~]# getent passwd root
root:x:0:0:root:/root:/bin/bash
My /etc/sssd/sssd.conf:
------------------------------------------------
[sssd]
domains = ad.holding.com
config_file_version = 2
services = nss, pam
default_domain_suffix = ad.holding.com
[nss]
debug_level=9
[domain/ad.holding.com]
ad_server = kom-dc01.ad.holding.com, kom-dc02.ad.holding.com
ad_domain = ad.holding.com
krb5_realm = AD.HOLDING.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
debug_level=9
------------------------------------------------
/var/log/sssd/sssd_nss.log:
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [ad.holding.com][4097][1][name=aleksey]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_add_timeout] (0x2000): 0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x7f8792bce0d0:1:aleksey@ad.holding.com]
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x7f8794b5f9a0
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x7f8794b5b120
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching.
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 1 errno: 11 error message: Fast reply - offline
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [nss_cmd_getby_dp_callback] (0x0040): Unable to get information from Data Provider
Error: 1, 11, Fast reply - offline
Will try to return what we have in cache
(Wed Oct 19 16:54:44 2016) [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x7f8792bce0d0:1:aleksey@ad.holding.com]
------------------------------------------------
/var/log/sssd/sssd_ad.holding.com.log
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] (0x0200): Got request for [0x1001][1][name=aleksey]
(Wed Oct 19 16:53:21 2016) [sssd[be[ad.holding.com]]] [be_get_account_info] (0x0100): Request processed. Returned 1,11,Fast reply - offline
What could be the problem?
7 years, 6 months
Question about FreeIPA covered at https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.org/2015/12/
by Gerard Blokdijk
Hello Sssd,
I was searching for FreeIPA information and I came across https://lists.fedorahosted.org/archives/list/devel@lists.fedoraproject.or..., where you cover FreeIPA.
FreeIPA is included in the current Auth0 predictive analytics report at https://theartofservice.com/Auth0-predictive-analytics-report.html
Because I feel this is of interest to you, and to find mutual ground, I want to give you the full $97 report for free. You can download the PDF direct here https://theartofservicelab.s3.amazonaws.com/report/Auth0%20Predictive%20A...
What is the value of the report?
I've been in many enterprise data center management and CxO roles over the past 25 years, and something simple as reports like we're producing was always the guide I missed; transparant data across many data points covering a specific topic and its related topics, highlighting what's important now and in the future - a simple way to instantly understand and move forward in the right direction, based on verifiable data.
The aim of the report is to give a compass-overview of what is, and is going to be, of impact to the topic of the report - for readers who need a quick starter and insight into the topic. It is NOT meant for an expert in the field, who knows the field inside-out. The report's target audience is the manager and professional who needs quick insight into the field and where it is heading.
Would you give me a bit of your time to go look at it?
I'm asking this because the analysis has to win on its own right and appeal to you. It solves a lot of clients' problems and it has to be obvious to you how it would create value to you.
Please feel free to use the data, including graphics, in any way.
I would appreciate it if you would consider linking to https://theartofservice.com/Auth0-predictive-analytics-report.html. To make it easy you can use the following text (or use any text you like): 'The Art of Service's Auth0 predictive analytics report evaluates technologies and applications (including FreeIPA) in terms of their business impact, adoption rate and maturity level to help users decide where and when to invest.'
If I can assist you with anything else, or return the favor, please let me know.
Gerard Blokdijk
Connect with me here: https://www.linkedin.com/in/gerardblokdijk
CEO
The Art of Service
https://theartofservice.com
gerard.blokdijk(a)theartofservice.com
7 years, 6 months
User [op01] was not found with the specified filter. Denying access
by liujitao79@gmail.com
hi,all
#### user op01
ldapsearch -x -W -H ldaps://master.local -D cn=manager,dc=suntv,dc=tv -b uid=op01,ou=people,dc=suntv,dc=tv
Enter LDAP Password:
```
# extended LDIF
#
# LDAPv3
# base <uid=op01,ou=people,dc=suntv,dc=tv> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# op01, people, suntv.tv
dn: uid=op01,ou=people,dc=suntv,dc=tv
uid: op01
cn: op01
sn: op01
objectClass: hostObject
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
userPassword:: MTIzNDU2
shadowLastChange: 17085
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 2001
homeDirectory: /home/op01
labeledURI: ldaps:///ou=op,ou=host,dc=suntv,dc=tv?host
# Dynamic Lists of the opneldap
host: 192.168.1.21
# generated Dynamic Lists of the opneldap
host: 192.168.1.22
# generated Dynamic Lists of the opneldap
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
```
####sssd.conf
```
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
......
ldap_search_base = dc=suntv,dc=tv
ldap_user_search_base = ou=people,dc=suntv,dc=tv
ldap_group_search_base = ou=group,dc=suntv,dc=tv
......
access_provider = ldap
ldap_access_order = filter
ldap_access_filter = (|(host=all)(host=192.168.1.21))
```
####test
ssh op01(a)192.168.1.21
op01(a)192.168.1.21's password:
Connection to 192.168.1.21 closed by remote host.
Connection to 192.168.1.21 closed.
sssd_LDAP.log
```
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [op01]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching 192.168.1.11
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv].
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 5
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 5 timeout 6
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x7f1b15cca440], connected[1], ops[0x7f1b15d9a700], ldap[0x7f1b15cb09f0]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 5 finished
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0100): User [op01] was not found with the specified filter. Denying access.
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): start ldb transaction (nesting: 0)
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x7f1b15d9da80
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x7f1b15d9dbb0
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x7f1b15d9da80 "ltdb_callback"
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x7f1b15d9dbb0 "ltdb_timeout"
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): Ending timer event 0x7f1b15d9da80 "ltdb_callback"
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [ldb] (0x4000): commit ldb transaction (nesting: 0)
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_access_done] (0x0400): Access was denied.
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Backend returned: (0, 6, <NULL>) [Success (Permission denied)]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sending result [6][LDAP]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [be_pam_handler_callback] (0x0100): Sent result [6][LDAP]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x7f1b15cca440], connected[1], ops[(nil)], ldap[0x7f1b15cb09f0]
(Fri Oct 14 10:23:04 2016) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing!
(Fri Oct 14 10:23:06 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x7f1b15cac500
(Fri Oct 14 10:23:06 2016) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
```
calling ldap_search_ext with [(&(uid=op01)(objectclass=posixAccount)(|(host=all)(host=192.168.1.21)))][uid=op01,ou=people,dc=suntv,dc=tv]
User [op01] was not found with the specified filter. Denying access.
Why is not results the ldap_search_ext?
please help me, thank.
7 years, 6 months