On Wed, May 8, 2013 at 9:52 AM, Sumit Bose <sbose(a)redhat.com>
wrote:
> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote:
>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly)
>> <GregWojtak(a)quickenloans.com> wrote:
>>> I think your syntax is a little off. Try
>>>
>>> ldapsearch -x -LLL '(&(uid=test.user)(objectClass=posixAccount))'
uid
>>> uidnumber homedirectory gidnumber loginshell
>>>
>>> You should have those 5 values returned.
>>>
>>> --
>>> Greg Wojtak
>>> Senior Unix Systems Engineer
>>> Office: (313) 373-4306
>>> Mobile: (734) 718-8472
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 5/8/13 11:52 AM, "Brandon Foster"
<brandon.foster(a)liferay.com> wrote:
>>>
>>>> On Wed, May 8, 2013 at 5:05 AM, Sumit Bose <sbose(a)redhat.com>
wrote:
>>>>> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster wrote:
>>>>>> Hey all,
>>>>>> Im back with another ldap question. this time I rebuilt sssd and
>>>>>> followed this guide:
>>>>>>
>>>>>>
http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio
>>>>>> n-and-troubleshooting/
>>>>>> for setting up ldap authentication on my centos 6.4 system.
>>>>>>
>>>>>> my firewall is off and selinux is disabled.
>>>>>>
>>>>>> when i do an ldapsearch -x "cn=test.user" it returns
all the correct
>>>>>> information, but doing id test.user returns no user.
>>>>> As you can see from the logs SSSD is using
>>>>> "(&(uid=test.user)(objectclass=posixAccount))" as
search filter, can you
>>>>> check if ldapsearch with this filter finds the entry as well?
>>>>> Additionally can you check that the user object is located below the
>>>>> search base you have given in sssd.conf?
>>>>>
>>>>> HTH
>>>>>
>>>>> bye,
>>>>> Sumit
>>>>>> I've attached the log files and all of the relevant files and
maybe
>>>>>> some non relevant ones as well.
>>>>>>
>>>>>> it appears as tho it is searching for the user but is simply not
>>>>>> finding anything. Is there an option to search for cn=test.user?
and
>>>>>> not by uid?
>>>>>>
>>>>>> any help will be much appreciated.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> _______________________________________________
>>>>>> sssd-users mailing list
>>>>>> sssd-users(a)lists.fedorahosted.org
>>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>>> _______________________________________________
>>>>> sssd-users mailing list
>>>>> sssd-users(a)lists.fedorahosted.org
>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>> thanks for the reply,
>>>> the user is definitely under the groups in sssd.conf.
>>>>
>>>> ldapsearch with objectclass=posixAccount seems to be part of the
>>>> issue. Also it is searching for uid rather than the cn of the user.
>>>>
>>>> if I do ldapsearch -x "uid=<UID of test.user> it works fine
>>>>
>>>> if i do ldapsearch -x "uid=<UID of test.user>"
>>>> "objectclass=posixAccount" it does not.
>>>>
>>>> ldapsearch -x "uid=test.user" returns all of the users in the
search.
>>>>
>>>> and finally ldapsearch -x "uid=test.user"
"objectclass=posixAccount"
>>>> returns no users.
>>>>
>>>> so how do I tell my sssd to not use this filter? and to use cn instead
of
>>>> uid?
>>>> _______________________________________________
>>>> sssd-users mailing list
>>>> sssd-users(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>> _______________________________________________
>>> sssd-users mailing list
>>> sssd-users(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>
>> sorry, not to familiar with the ldapsearch commands.
>>
>> anyways, test.user is not of objectclass posixAccoount so with that
>> filter nothing comes back, if I change it to cn= and objectclass=<an
>> objectlcass test.user is a part of> then it just returns the DN of the
>> user.
>>
>> ldap_user_name = cn
>> ldap_user_object_class =
>>
>> attributes in sssd.conf seem to be altering these values for me when i
>> search for the id of test.user.
>>
>> but it cant seem to find uiduidnumber homedirectory gidnumber or
>> loginshell attributes for my users.
> it looks that you are using a custom LDPA schema. You can map the
> default attributes for home directory etc to other values with
>
> ldap_user_home_directory
> ldap_user_uid_number
> ldap_user_gid_number
> ldap_user_shell
>
> respectively, see man sssd-ldap for more details, e.g. how to map group
> attributes.
>
> HTH
>
> bye,
> Sumit
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
yeah, a large part of my problem is that I did not set up this ldap.
is there a way I can assign say a gid or home directory rather than
getting it from ldap?
gid - no
but with home directory you can have a local override. See man pages for
more details.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?