Sssd does not enumerate by default so this is pretty much expected behaviour.
Try "getent passwd username" instead.
O.

Odesláno ze Samsung Mobile

Brandon Foster <brandon.foster@liferay.com> napsal:
ok so after some modification of the ldap server and use of the
override functions I was able to make it work.
I can now id test.user and get a result, as  well as log in as my ldap users.

But when I do getent passwd |grep <USER> i dont get anything back.

any ideas why?

On Thu, May 9, 2013 at 3:32 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
> On Wed, May 08, 2013 at 01:29:24PM -0400, Dmitri Pal wrote:
>> On 05/08/2013 12:57 PM, Brandon Foster wrote:
>> > On Wed, May 8, 2013 at 9:52 AM, Sumit Bose <sbose@redhat.com> wrote:
>> >> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote:
>> >>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly)
>> >>> <GregWojtak@quickenloans.com> wrote:
>> >>>> I think your syntax is a little off.  Try
>> >>>>
>> >>>> ldapsearch -x -LLL '(&(uid=test.user)(objectClass=posixAccount))' uid
>> >>>> uidnumber homedirectory gidnumber loginshell
>> >>>>
>> >>>> You should have those 5 values returned.
>> >>>>
>> >>>> --
>> >>>> Greg Wojtak
>> >>>> Senior Unix Systems Engineer
>> >>>> Office: (313) 373-4306
>> >>>> Mobile: (734) 718-8472
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>>
>> >>>> On 5/8/13 11:52 AM, "Brandon Foster" <brandon.foster@liferay.com> wrote:
>> >>>>
>> >>>>> On Wed, May 8, 2013 at 5:05 AM, Sumit Bose <sbose@redhat.com> wrote:
>> >>>>>> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster wrote:
>> >>>>>>> Hey all,
>> >>>>>>> Im back with another ldap question. this time I rebuilt sssd and
>> >>>>>>> followed this guide:
>> >>>>>>>
>> >>>>>>> http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio
>> >>>>>>> n-and-troubleshooting/
>> >>>>>>> for setting up ldap authentication on my centos 6.4 system.
>> >>>>>>>
>> >>>>>>> my firewall is off and selinux is disabled.
>> >>>>>>>
>> >>>>>>> when i do an ldapsearch -x "cn=test.user" it returns all the correct
>> >>>>>>> information, but doing id test.user returns no user.
>> >>>>>> As you can see from the logs SSSD is using
>> >>>>>> "(&(uid=test.user)(objectclass=posixAccount))" as search filter, can you
>> >>>>>> check if ldapsearch with this filter finds the entry as well?
>> >>>>>> Additionally can you check that the user object is located below the
>> >>>>>> search base you have given in sssd.conf?
>> >>>>>>
>> >>>>>> HTH
>> >>>>>>
>> >>>>>> bye,
>> >>>>>> Sumit
>> >>>>>>> I've attached the log files and all of the relevant files and maybe
>> >>>>>>> some non relevant ones as well.
>> >>>>>>>
>> >>>>>>> it appears as tho it is searching for the user but is simply not
>> >>>>>>> finding anything. Is there an option to search for cn=test.user? and
>> >>>>>>> not by uid?
>> >>>>>>>
>> >>>>>>> any help will be much appreciated.
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>> _______________________________________________
>> >>>>>>> sssd-users mailing list
>> >>>>>>> sssd-users@lists.fedorahosted.org
>> >>>>>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >>>>>> _______________________________________________
>> >>>>>> sssd-users mailing list
>> >>>>>> sssd-users@lists.fedorahosted.org
>> >>>>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >>>>> thanks for the reply,
>> >>>>> the user is definitely under the groups in sssd.conf.
>> >>>>>
>> >>>>> ldapsearch with objectclass=posixAccount seems to be part of the
>> >>>>> issue. Also it is searching for uid rather than the cn of the user.
>> >>>>>
>> >>>>> if I do ldapsearch -x "uid=<UID of test.user> it works fine
>> >>>>>
>> >>>>> if i do ldapsearch -x "uid=<UID of test.user>"
>> >>>>> "objectclass=posixAccount" it does not.
>> >>>>>
>> >>>>> ldapsearch -x "uid=test.user" returns all of the users in the search.
>> >>>>>
>> >>>>> and finally ldapsearch -x "uid=test.user" "objectclass=posixAccount"
>> >>>>> returns no users.
>> >>>>>
>> >>>>> so how do I tell my sssd to not use this filter? and to use cn instead of
>> >>>>> uid?
>> >>>>> _______________________________________________
>> >>>>> sssd-users mailing list
>> >>>>> sssd-users@lists.fedorahosted.org
>> >>>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >>>> _______________________________________________
>> >>>> sssd-users mailing list
>> >>>> sssd-users@lists.fedorahosted.org
>> >>>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >>>
>> >>> sorry, not to familiar with the ldapsearch commands.
>> >>>
>> >>> anyways, test.user is not of objectclass posixAccoount so with that
>> >>> filter nothing comes back, if I change it to cn= and objectclass=<an
>> >>> objectlcass test.user is a part of> then it just returns the DN of the
>> >>> user.
>> >>>
>> >>> ldap_user_name = cn
>> >>> ldap_user_object_class =
>> >>>
>> >>> attributes in sssd.conf seem to be altering these values for me when i
>> >>> search for the id of test.user.
>> >>>
>> >>> but it cant seem to find uiduidnumber homedirectory gidnumber or
>> >>> loginshell attributes for my users.
>> >> it looks that you are using a custom LDPA schema. You can map the
>> >> default attributes for home directory etc to other values with
>> >>
>> >> ldap_user_home_directory
>> >> ldap_user_uid_number
>> >> ldap_user_gid_number
>> >> ldap_user_shell
>> >>
>> >> respectively, see man sssd-ldap for more details, e.g. how to map group
>> >> attributes.
>> >>
>> >> HTH
>> >>
>> >> bye,
>> >> Sumit
>> >>> _______________________________________________
>> >>> sssd-users mailing list
>> >>> sssd-users@lists.fedorahosted.org
>> >>> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >> _______________________________________________
>> >> sssd-users mailing list
>> >> sssd-users@lists.fedorahosted.org
>> >> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> >
>> > yeah, a large part of my problem is that I did not set up this ldap.
>> >
>> > is there a way I can assign say a gid or home directory rather than
>> > getting it from ldap?
>>
>> gid - no
>
> In general you can't override the group list the user is a member of but
> you can override the primary gid. See the "override_gid" option in man
> sssd.conf
>
>> but with home directory you can have a local override. See man pages for
>> more details.
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users



--
Brandon Foster
Infrastructure Administrator

Liferay, Inc.
Enterprise. Open Source. For life.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users