I have a number of systems all on CentOS 6.5 with sssd-1.9.2 and had been using enumerate = True to support SLURM. After bringing ~300 nodes online all with enumeration enabled, I found my LDAP server was getting hit hard every 5 minutes. We've opted to disable enumeration, but since then all group membership lookups are failing.
$getent group general
<no output>
The sssd_LDAP.log shows:
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_connect_done] (0x0080): START TLS result: Success(0), Start TLS request accepted.Server willing to negotiate SSL.
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_get_server_opts_from_rootdse] (0x0200): No known USN scheme is supported by this server!
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Protocol error(2), A dereference attribute must have DN syntax
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_deref_search_done] (0x0040): dereference processing failed [5]: Input/output error
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_nested_group_deref_direct_done] (0x0020): Error processing direct membership [5]: Input/output error
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_nested_done] (0x0020): Nested group processing failed: [5][Input/output error]
(Thu Oct 30 18:41:03 2014) [sssd[be[LDAP]]] [sdap_id_op_done] (0x0200): communication error on cached connection, moving to next server
If I re-enable enumeration, "getent group" works with just fine. If I do a "id" on a user account, their primary group just shows the GID, no group name which is breaking numerous applications. As a test I upgraded a dev system to sssd-1.11.6 based on this bug report,
https://bugzilla.redhat.com/show_bug.cgi?id=1109188. However the issue persists. I've cleared caches and the result is the same.
The LDAP servers are 389ds version 1.2.11.15-32.el6.
Below is my sssd.conf. What else can be done to debug this or resolve this issue?
Thanks,
- Trey
[sssd]
config_file_version = 2
debug_level = 0x02F0
reconnection_retries = 3
sbus_timeout = 30
services = nss,pam,sudo,ssh
domains = LDAP
[nss]
debug_level = 0x02F0
reconnection_retries = 3
filter_groups = root,wheel
filter_users = root
[pam]
debug_level = 0x02F0
reconnection_retries = 3
offline_credentials_expiration = 0
[sudo]
[ssh]
[domain/LDAP]
debug_level = 0x02F0
cache_credentials = TRUE
entry_cache_timeout = 6000
enumerate = FALSE
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldap01.DOMAIN,ldap://ldap02.DOMAIN
ldap_search_base = <OMIT>
ldap_network_timeout = 3
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/puppet-ca.crt
ldap_schema = rfc2307bis
ldap_id_use_start_tls = TRUE
ldap_chpass_update_last_change = TRUE
ldap_group_member = uniquemember
ldap_group_object_class = posixGroup
ldap_group_name = cn
ldap_pwd_policy = none
ldap_account_expire_policy = 389ds
ldap_access_order = filter,expire
ldap_access_filter = (objectclass=posixaccount)
ldap_sudo_search_base = ou=SUDOers,<OMIT>
Thanks,
- Trey