Hi Lukas, Sumit, Jakub,
Thank you very much for your reply.
I tried to update to sssd-1.12.4. The behavior is same as with sssd-1.9.2.
I observed following things (with ldap server side disallow anonymous binding):
1) Got rootdse is printed before [simple_bind_send] (0x0100): Executing simple bind as: cn=myadminuser
2) Server is marked as "working"
3) If I issue "id oneuser" , there will such log
calling ldap_search_ext with [(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=mydomain,dc=com].
4)and at last, [sdap_get_users_done] (0x0040): Failed to retrieve users
My thoughts:
ldapsearch -h myhostname -p myportnumber -b "dc=mydomain,dc=com" -D "cn=myadminuser" -W '(&(uid=oneuser)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))'
Above ldapsearch can return the user, the "cn=myadminuser" is what I provided in the sssd.conf as "ldap_default_bind_dn" , -W I provided the password in the sssd.conf as "ldap_default_authtok".
And I guess the rootDSE is not the key thing here, as rootDSE is retrieved successfully from the log.
And also, when I issue "id oneuser", SSSD is trying to used the cached connection(I assume this cached connection is the one cn=myadminuser started). So it shouldn't treated as anonymous binding, correct ?
Any thoughts on these? Let me know if you need extra information.
Thanks,
Aaron