On Fri, Nov 13, 2015 at 03:36:03PM -0800, aaron wang wrote:
Hi Lukas, Sumit, Jakub,
Thank you very much for your reply.
I tried to update to sssd-1.12.4. The behavior is same as with sssd-1.9.2.
*I observed following things (with ldap server side disallow anonymous
binding):*
1) *Got rootdse* is printed before* [simple_bind_send] (0x0100):
Executing simple bind as: cn=myadminuser*
We try to retrieve rootDSE anonymously first and only if that fails,
retry even the rootdse with the bind method from the config.
2) Server is marked as "working"
3) If I issue "id oneuser" , there will such log
c*alling ldap_search_ext with
[(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=com].*
4)and at last, *[sdap_get_users_done] (0x0040): Failed to retrieve
users*
*My thoughts:*
ldapsearch -h myhostname -p myportnumber -b "dc=mydomain,dc=com" -D
"cn=myadminuser" -W
'(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))'
Above ldapsearch can return the user, the "cn=myadminuser" is what I
provided in the sssd.conf as "ldap_default_bind_dn" , -W I provided the
password in the sssd.conf as "ldap_default_authtok".
And I guess the rootDSE is not the key thing here, as rootDSE is retrieved
successfully from the log.
And also, when I issue "id oneuser", SSSD is trying to used the cached
connection(I assume this cached connection is the one cn=myadminuser
started). So it shouldn't treated as anonymous binding, correct ?
correct
Any thoughts on these? Let me know if you need extra information.
Full logs would be best. Please also look into the server logs if
you have access.