On 05/08/2013 12:57 PM, Brandon Foster wrote:
> On Wed, May 8, 2013 at 9:52 AM, Sumit Bose <sbose(a)redhat.com> wrote:
>> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote:
>>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly)
>>> <GregWojtak(a)quickenloans.com> wrote:
>>>> I think your syntax is a little off. Try
>>>>
>>>> ldapsearch -x -LLL
'(&(uid=test.user)(objectClass=posixAccount))' uid
>>>> uidnumber homedirectory gidnumber loginshell
>>>>
>>>> You should have those 5 values returned.
>>>>
>>>> --
>>>> Greg Wojtak
>>>> Senior Unix Systems Engineer
>>>> Office: (313) 373-4306
>>>> Mobile: (734) 718-8472
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 5/8/13 11:52 AM, "Brandon Foster"
<brandon.foster(a)liferay.com> wrote:
>>>>
>>>>> On Wed, May 8, 2013 at 5:05 AM, Sumit Bose <sbose(a)redhat.com>
wrote:
>>>>>> On Tue, May 07, 2013 at 11:39:45AM -0700, Brandon Foster wrote:
>>>>>>> Hey all,
>>>>>>> Im back with another ldap question. this time I rebuilt sssd
and
>>>>>>> followed this guide:
>>>>>>>
>>>>>>>
http://blog.f1linux.com/2013/04/21/howto-part-3-ldap-client-configuratio
>>>>>>> n-and-troubleshooting/
>>>>>>> for setting up ldap authentication on my centos 6.4 system.
>>>>>>>
>>>>>>> my firewall is off and selinux is disabled.
>>>>>>>
>>>>>>> when i do an ldapsearch -x "cn=test.user" it
returns all the correct
>>>>>>> information, but doing id test.user returns no user.
>>>>>> As you can see from the logs SSSD is using
>>>>>> "(&(uid=test.user)(objectclass=posixAccount))" as
search filter, can you
>>>>>> check if ldapsearch with this filter finds the entry as well?
>>>>>> Additionally can you check that the user object is located below
the
>>>>>> search base you have given in sssd.conf?
>>>>>>
>>>>>> HTH
>>>>>>
>>>>>> bye,
>>>>>> Sumit
>>>>>>> I've attached the log files and all of the relevant
files and maybe
>>>>>>> some non relevant ones as well.
>>>>>>>
>>>>>>> it appears as tho it is searching for the user but is simply
not
>>>>>>> finding anything. Is there an option to search for
cn=test.user? and
>>>>>>> not by uid?
>>>>>>>
>>>>>>> any help will be much appreciated.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> _______________________________________________
>>>>>>> sssd-users mailing list
>>>>>>> sssd-users(a)lists.fedorahosted.org
>>>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>>>> _______________________________________________
>>>>>> sssd-users mailing list
>>>>>> sssd-users(a)lists.fedorahosted.org
>>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>>> thanks for the reply,
>>>>> the user is definitely under the groups in sssd.conf.
>>>>>
>>>>> ldapsearch with objectclass=posixAccount seems to be part of the
>>>>> issue. Also it is searching for uid rather than the cn of the user.
>>>>>
>>>>> if I do ldapsearch -x "uid=<UID of test.user> it works
fine
>>>>>
>>>>> if i do ldapsearch -x "uid=<UID of test.user>"
>>>>> "objectclass=posixAccount" it does not.
>>>>>
>>>>> ldapsearch -x "uid=test.user" returns all of the users in
the search.
>>>>>
>>>>> and finally ldapsearch -x "uid=test.user"
"objectclass=posixAccount"
>>>>> returns no users.
>>>>>
>>>>> so how do I tell my sssd to not use this filter? and to use cn
instead of
>>>>> uid?
>>>>> _______________________________________________
>>>>> sssd-users mailing list
>>>>> sssd-users(a)lists.fedorahosted.org
>>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>> _______________________________________________
>>>> sssd-users mailing list
>>>> sssd-users(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>
>>> sorry, not to familiar with the ldapsearch commands.
>>>
>>> anyways, test.user is not of objectclass posixAccoount so with that
>>> filter nothing comes back, if I change it to cn= and objectclass=<an
>>> objectlcass test.user is a part of> then it just returns the DN of the
>>> user.
>>>
>>> ldap_user_name = cn
>>> ldap_user_object_class =
>>>
>>> attributes in sssd.conf seem to be altering these values for me when i
>>> search for the id of test.user.
>>>
>>> but it cant seem to find uiduidnumber homedirectory gidnumber or
>>> loginshell attributes for my users.
>> it looks that you are using a custom LDPA schema. You can map the
>> default attributes for home directory etc to other values with
>>
>> ldap_user_home_directory
>> ldap_user_uid_number
>> ldap_user_gid_number
>> ldap_user_shell
>>
>> respectively, see man sssd-ldap for more details, e.g. how to map group
>> attributes.
>>
>> HTH
>>
>> bye,
>> Sumit
>>> _______________________________________________
>>> sssd-users mailing list
>>> sssd-users(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>> _______________________________________________
>> sssd-users mailing list
>> sssd-users(a)lists.fedorahosted.org
>>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
> yeah, a large part of my problem is that I did not set up this ldap.
>
> is there a way I can assign say a gid or home directory rather than
> getting it from ldap?
gid - no
In general you can't override the group list the user is a member of but
you can override the primary gid. See the "override_gid" option in man
sssd.conf
but with home directory you can have a local override. See man pages
for
more details.