[sles-beta] sssd hassle
markus.hubler at isc-ejpd.admin.ch
markus.hubler at isc-ejpd.admin.ch
Wed May 21 08:25:21 MDT 2014
Hi Peter
I have tried to find out more about sssd in the last week. However I still have somewhere a hassle in my config.
Do you have an idea how I have to set the filter correctly, that all the users who are in the netgroup (named by after current host) get correctly mapped to the system.
The server being t9002. I have a perfect access to the ldap server as getent netgroup <servername> works.
So it seems as my basic pain is to get a working filter.
1) # getent netgroup t9002
t9002 ( ,user1,) ( ,user2,)
works fine
2) enumerate=True shows all the users (even those that should not have access) enumerate= false does show only local users
3) Filter: Is it wise to adopt the search base (as I tried to do? Or would you take ldap_access_filter)
4) Desired state would be:
getent passwd show local users and user1 and user2
5) before we had
+ at t9002:::::: (in /etc/passwd)
+ at t9002::0:0:0:::: (in /etc/shadow)
Any suggestions about documentation???
ldapsearch gives out the following
# t9002, netgroup, test.test.ch
dn: cn=ejpdxt9002,ou=netgroup,dc=test,dc=test,dc=ch
memberNisNetgroup: netgroup-ux
cn: t9002
objectClass: nisNetgroup
objectClass: top
/etc/sssd/sssd.conf
===================
[sssd]
default_domain_suffix = LDAP
config_file_version = 2
services = nss, pam
domains = LDAP
full_name_format = %1$s@%2$s
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_group_member = uniquemember
chpass_provider = ldap
ldap_uri = ldap://t4113.test.ch
ldap_chass_uri = ldap://t4113.test.ch
ldap_schema = rfc2307bis
ldap_search_base = cn=t9002,ou=netgroup,dc=test,dc=test,dc=ch?one?|(objectClass=nisNetgroup)
ldap_netgroup_search_base = ou=netgroup,dc=test,dc=test,dc=ch
access_provider = ldap
ldap_access_filter = (|(ou=netgroup,dc=test,dc=test,dc=ch)(cn=t9002))
ldap_group_search_base = ou=group,dc=test,dc=test,dc=ch
ldap_user_search_base = ou=people,dc=test,dc=test,dc=ch
enumerate = True
ldap_tls_reqcert = never
ldap_tls_cacertdir = /etc/ssl/certs
/etc/nsswitch.conf
==================
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
networks: files
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: sss
publickey: files
bootparams: files
automount: files
aliases: files
passwd_compat: ldap
shadow_compat: ldap
group_compat: files
Best regards
Markus
More information about the sles-beta
mailing list