Starting SSSD without root
by Tero Saarni
Hi,
I'm trying to run SSSD inside docker container without root user. The
container is executed in OpenShift cluster which does not allow running as root
inside container.
SSSD requires root and checks for this specifically.
Is there any workaround for this?
I believe the limitation is implemented for security reasons, in order to have
most critical parts executed as root and have it drop privileges for other
parts but this now completely blocks using SSSD in the above environment.
--
Tero
2 weeks, 3 days
group members incorrectly parsing from a custom schema ldap server
by Vasiliy --
Hi all
I'm trying to make sssd work with an ancient LDAP server which uses a non RFC2307 compliant schema. It is an IBM Directory server with a decades old AIX proprietary schema
I was able to map the required user's attributes easily in sssd.conf, however I'm running into trouble with the groups.
The problem is that the 'member' attribute in each ldap group is stored in LDAP in an unusual format like this:
...
groupname: some_group
objectclass: aixaccessgroup
member: username=some_user_name1
member: username=some_user_name2
member: username=some_user_name3
...
so I think the issue is the 'username=' in front of each user id
when i try to list group using getent, i get this:
# getent group some_group
some_group:*:1234:username=some_user_name1,username=some_user_name2,username=some_user_name3,..
i.e. the 'username=' string is prepended to each member id.
here is what I have in sssd.conf:
...
ldap_user_search_base = ou=aixuser,cn...
ldap_user_object_class = aixaccount
ldap_user_name = username
ldap_user_uid_number = uid
ldap_user_gid_number = gid
ldap_group_search_base = ou=aixgroup,cn...
ldap_group_object_class = aixaccessgroup
ldap_group_gid_number = gid
ldap_group_name = groupname
ldap_group_member = member
...
When a user logs in and sssd tries to enumerate the group memberships it submits an ldap search as ' [(&(member=some_user_name1)(objectClass=aixaccessgroup)(groupname=*)(&(gid=*)(!(gid=0))))] base: [ou=aixgroup,cn...' and of course that returns nothing.
[sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Invalid DN syntax(34), no errmsg set
[sdap_get_generic_op_finished] (0x0040): [RID#6] Unexpected result from ldap: Invalid DN syntax(34), no errmsg set
I think sssd needs to somehow parse out the username= in the group member attribute.
I've searched this list and all over the internet but I could not find anything that sounds similar to my issue
Is there any way to work around this problem?
thank you
4 weeks
Schema for sss_ssh_knownhostsproxy support
by Christopher Byrne
I'm one of the maintainers of sssd in Gentoo. I have separate openldap, kerberos and DNS servers. I would like the use sss_ssh_knownhostsproxy but I cannot find a schema for the the attributes sssd wants.
Here's what is displays when looking it up:
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x0400): [RID#8] calling ldap_search_ext with [(&(objectClass=ipHost)(fqdn=ldap.example.com))][dc=example,dc=com].
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x1000): [RID#8] Requesting attrs: [objectClass]
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x1000): [RID#8] Requesting attrs: [cn]
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x1000): [RID#8] Requesting attrs: [fqdn]
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x1000): [RID#8] Requesting attrs: [serverHostname]
(2024-03-27 20:20:10): [be[EXAMPLE.COM]] [sdap_get_generic_ext_step] (0x1000): [RID#8] Requesting attrs: [sshPublicKey]
sshPublicKey is part of openssh-lpk, but I cannot find "fqdn" or "serverHostname" anywhere.
4 weeks