On Thu, Jul 16, 2015 at 03:12:52PM -0400, Christian Tardif wrote:
Hi,
I'm working on setting a LDAP proxy (with OpenLDAP) to ActiveDirectory.
And testing the proxy with SSSD gives me strange results I don't
understand. When someone is trying to connect to a Linuxbox on which
SSSD is looking after the LDAP-Proxy, it fails because of a bad filter
thing (which is OK, as you'll see in the logs). The logs from SSSD
shows:
I've never tried this setup so I don't know if it would work, but you
probably want to set ldap_user_objectsid=objectSID explicitly to avoid
null in the filter.
btw when using ID mapping together with LDAP provider, usually setting
ldap_use_tokengroups=False is a good idea.
(Thu Jul 16 14:51:00 2015) [sssd[be[DOMAIN]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=christian.tardif1)(objectclass=user)(uid=*)((null)=*))][ou=users,ou=outhing,dc=domain,dc=int].
(Thu Jul 16 14:51:00 2015) [sssd[be[LABNHS]]]
[sdap_get_generic_ext_step] (0x0080): ldap_search_ext failed: Bad search
filter
Look at that (null)=* thing. Where does that comes from ? My sssd.conf
looks like:
[domain/DOMAIN]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
ldap_uri = ldap://172.22.211.114/
ldap_search_base = ou=outhing,dc=domain,dc=int
#ldap_default_bind_dn = cn=ldap
binduser,ou=others,ou=users,ou=outhing,dc=domain,dc=int
#ldap_default_authtok = B1ndPassw0rd!
ldap_default_bind_dn = cn=Manager,dc=domain,dc=int
ldaP_default_authtok = *********
ldap_default_authtok_type = password
ldap_user_name = uid
ldap_user_object_class = user
ldap_user_search_base = ou=users,ou=outhing,dc=domain,dc=int
ldap_user_extra_attrs = mail
ldap_group_object_class = group
ldap_group_search_base = ou=groups,ou=outhing,dc=domain,dc=int
ldap_id_mapping = true
ldap_schema = rfc2307bis
ldap_tls_reqcert = never
ldap_id_use_start_tls = false
ldap_network_timeout = 6
override_gid = 100
enumerate = true
cache_credentials = true
cache_sensitive = false
entry_cache_timeout = 300
debug_level = 6
[sssd]
services = nss, pam
config_file_version = 2
domains = DOMAIN
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
override_homedir = /home/%u
default_shell = /bin/bash
[pam]
[sudo]
[autofs]
[ssh]
Is something wrong in my config to create this (null)=* thing ?
--
CHRISTIAN TARDIF
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users