[sles-beta] sssd hassle

markus.hubler at isc-ejpd.admin.ch markus.hubler at isc-ejpd.admin.ch
Wed May 21 08:25:21 MDT 2014 

Hi Peter

I have tried to find out  more about sssd in the last week. However I still have somewhere a hassle in my config.
Do you have an idea how I have to set the filter correctly, that all the users who are in the netgroup (named by after current host) get correctly mapped to the system.

The server being t9002. I have a perfect access to the ldap server as getent netgroup <servername> works.

So it seems as my basic pain is to get a working filter.


1)      # getent netgroup t9002
        t9002            ( ,user1,) ( ,user2,)
        works fine

2)      enumerate=True shows all the users (even those that should not have access) enumerate= false does show only local users


3)      Filter: Is it wise to adopt the search base (as I tried to do? Or would you take ldap_access_filter)


4)      Desired state would be:
        getent passwd show local users and user1 and user2

5)      before we had

        + at t9002:::::: (in /etc/passwd)
        + at t9002::0:0:0:::: (in /etc/shadow)


Any suggestions about documentation???


ldapsearch gives out the following

# t9002, netgroup, test.test.ch
dn: cn=ejpdxt9002,ou=netgroup,dc=test,dc=test,dc=ch
memberNisNetgroup: netgroup-ux
cn: t9002
objectClass: nisNetgroup
objectClass: top


/etc/sssd/sssd.conf
===================

[sssd]
default_domain_suffix = LDAP
config_file_version = 2
services = nss, pam
domains = LDAP
full_name_format = %1$s@%2$s
[nss]
filter_groups = root
filter_users = root

[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_group_member = uniquemember
chpass_provider = ldap
ldap_uri = ldap://t4113.test.ch
ldap_chass_uri = ldap://t4113.test.ch
ldap_schema = rfc2307bis

ldap_search_base = cn=t9002,ou=netgroup,dc=test,dc=test,dc=ch?one?|(objectClass=nisNetgroup)
ldap_netgroup_search_base = ou=netgroup,dc=test,dc=test,dc=ch

access_provider = ldap
ldap_access_filter =  (|(ou=netgroup,dc=test,dc=test,dc=ch)(cn=t9002))

ldap_group_search_base = ou=group,dc=test,dc=test,dc=ch
ldap_user_search_base = ou=people,dc=test,dc=test,dc=ch
enumerate = True
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/ssl/certs


/etc/nsswitch.conf
==================


passwd: files sss
shadow: files sss
group:  files sss

hosts:  files dns
networks:       files

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       sss
publickey:      files

bootparams:     files
automount:      files
aliases:        files
passwd_compat:  ldap
shadow_compat:  ldap
group_compat:   files


Best regards
Markus

More information about the sles-beta mailing list