ok so after some modification of the ldap server and use of the
override functions I was able to make it work.
I can now id test.user and get a result, as well as log in as my ldap users.
But when I do getent passwd |grep <USER> i dont get anything back.
any ideas why?
On Thu, May 9, 2013 at 3:32 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Wed, May 08, 2013 at 01:29:24PM -0400, Dmitri Pal wrote:
> On 05/08/2013 12:57 PM, Brandon Foster wrote:
> > On Wed, May 8, 2013 at 9:52 AM, Sumit Bose <sbose(a)redhat.com> wrote:
> >> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote:
> >>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly)
> >>> <GregWojtak(a)quickenloans.com> wrote:
> >>>> I think your syntax is a little off. Try
> >>>>
> >>>> ldapsearch -x -LLL
'(&(uid=test.user)(objectClass=posixAccount))' uid
> >>>> uidnumber homedirectory gidnumber loginshell
> >>>>
> >>>> You should have those 5 values returned.
> >>>>
> >>>> --
> >>>> Greg Wojtak
> >>>> Senior Unix Systems Engineer
> >>>> Office: (313) 373-4306
> >>>> Mobile: (734) 718-8472
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On 5/8/13 11:52 AM, "Brandon Foster"
<brandon.foster(a)liferay.com> wrote:
> >>>>
> >>>>> On Wed, May 8, 2013 at 5:05 AM, Sumit Bose
<sbose(a)redhat.com> wrote:
> >>>>>> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster
wrote:
> >>>>>>> Hey all,
> >>>>>>> Im back with another ldap question. this time I rebuilt
sssd and
> >>>>>>> followed this guide:
> >>>>>>>
> >>>>>>>
http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio
> >>>>>>> n-and-troubleshooting/
> >>>>>>> for setting up ldap authentication on my centos 6.4
system.
> >>>>>>>
> >>>>>>> my firewall is off and selinux is disabled.
> >>>>>>>
> >>>>>>> when i do an ldapsearch -x "cn=test.user" it
returns all the correct
> >>>>>>> information, but doing id test.user returns no user.
> >>>>>> As you can see from the logs SSSD is using
> >>>>>> "(&(uid=test.user)(objectclass=posixAccount))"
as search filter, can you
> >>>>>> check if ldapsearch with this filter finds the entry as
well?
> >>>>>> Additionally can you check that the user object is located
below the
> >>>>>> search base you have given in sssd.conf?
> >>>>>>
> >>>>>> HTH
> >>>>>>
> >>>>>> bye,
> >>>>>> Sumit
> >>>>>>> I've attached the log files and all of the relevant
files and maybe
> >>>>>>> some non relevant ones as well.
> >>>>>>>
> >>>>>>> it appears as tho it is searching for the user but is
simply not
> >>>>>>> finding anything. Is there an option to search for
cn=test.user? and
> >>>>>>> not by uid?
> >>>>>>>
> >>>>>>> any help will be much appreciated.
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> sssd-users mailing list
> >>>>>>> sssd-users(a)lists.fedorahosted.org
> >>>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>>>>> _______________________________________________
> >>>>>> sssd-users mailing list
> >>>>>> sssd-users(a)lists.fedorahosted.org
> >>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>>>> thanks for the reply,
> >>>>> the user is definitely under the groups in sssd.conf.
> >>>>>
> >>>>> ldapsearch with objectclass=posixAccount seems to be part of
the
> >>>>> issue. Also it is searching for uid rather than the cn of the
user.
> >>>>>
> >>>>> if I do ldapsearch -x "uid=<UID of test.user> it
works fine
> >>>>>
> >>>>> if i do ldapsearch -x "uid=<UID of test.user>"
> >>>>> "objectclass=posixAccount" it does not.
> >>>>>
> >>>>> ldapsearch -x "uid=test.user" returns all of the users
in the search.
> >>>>>
> >>>>> and finally ldapsearch -x "uid=test.user"
"objectclass=posixAccount"
> >>>>> returns no users.
> >>>>>
> >>>>> so how do I tell my sssd to not use this filter? and to use cn
instead of
> >>>>> uid?
> >>>>> _______________________________________________
> >>>>> sssd-users mailing list
> >>>>> sssd-users(a)lists.fedorahosted.org
> >>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>>> _______________________________________________
> >>>> sssd-users mailing list
> >>>> sssd-users(a)lists.fedorahosted.org
> >>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >>>
> >>> sorry, not to familiar with the ldapsearch commands.
> >>>
> >>> anyways, test.user is not of objectclass posixAccoount so with that
> >>> filter nothing comes back, if I change it to cn= and objectclass=<an
> >>> objectlcass test.user is a part of> then it just returns the DN of
the
> >>> user.
> >>>
> >>> ldap_user_name = cn
> >>> ldap_user_object_class =
> >>>
> >>> attributes in sssd.conf seem to be altering these values for me when i
> >>> search for the id of test.user.
> >>>
> >>> but it cant seem to find uiduidnumber homedirectory gidnumber or
> >>> loginshell attributes for my users.
> >> it looks that you are using a custom LDPA schema. You can map the
> >> default attributes for home directory etc to other values with
> >>
> >> ldap_user_home_directory
> >> ldap_user_uid_number
> >> ldap_user_gid_number
> >> ldap_user_shell
> >>
> >> respectively, see man sssd-ldap for more details, e.g. how to map group
> >> attributes.
> >>
> >> HTH
> >>
> >> bye,
> >> Sumit
> >>> _______________________________________________
> >>> sssd-users mailing list
> >>> sssd-users(a)lists.fedorahosted.org
> >>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >> _______________________________________________
> >> sssd-users mailing list
> >> sssd-users(a)lists.fedorahosted.org
> >>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >
> > yeah, a large part of my problem is that I did not set up this ldap.
> >
> > is there a way I can assign say a gid or home directory rather than
> > getting it from ldap?
>
> gid - no
In general you can't override the group list the user is a member of but
you can override the primary gid. See the "override_gid" option in man
sssd.conf
> but with home directory you can have a local override. See man pages for
> more details.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Brandon Foster
Infrastructure Administrator
Liferay, Inc.
Enterprise. Open Source. For life.