Thank you for the explanation. I understand.
2024/04/29 22:45、Sumit Bose <sbose@redhat.com>のメール:
Am Mon, Apr 29, 2024 at 09:12:08PM +0900 schrieb koson823@me.com:Hi,
Thank you for your quick response. Yes, that was the reason. In this regard, let me allow to add the following question.
Is there any way to remove objectClass from the filter, such as to be (uid=hogehoge) but not (&(uid=hogehoge)(objectclass=inetOrgPerson)) as in the failure case?
Even though I tried to remove the objectclass filter in sssd.conf, I couldn’t.
Removing “ldap_user_object_class" statement in [domain/local] automatically gives the following:
(&(uid=hogehoge)(objectclass=posixAccount))
(as mentioned before, posixAccount is not used in the LDAP database.)
Or, is the declaration of objectclass mandatory in the filter?
I would greatly appreciate any assistance.
Hi,SSSD will always use an objectclass in the filter to make sure thatonly the expected type of objects are returned.HTHbye,Sumit
2024/04/29 19:55、Sumit Bose <sbose@redhat.com>のメール:
Hi,
my first guess would be that the `uid=search_id` object does not have
the permissions to read the `objectClass` attribute from other objects.
Please check the ACIs on the LDAP server side for this user.
HTH
bye,
Sumit
This initial search binding works fine and returns the user DN to log in, for example,
uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com
However, as shown below, the user (hogehoge) cannot be authenticated.
/var/log/sssd/sssd_local.log
(2024-04-28 21:57:11): [be[local]] [sdap_call_op_callback] (0x20000): [RID#2] Handling LDAP operation [3][server: [xxx.xx.xx.x:636] filter: [(&(uid=hogehoge)(objectclass=inetOrgPerson))] base: [ou=Users,dc=example,dc=com]] took [2.910] milliseconds.
(2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x1000): [RID#2] OriginalDN: [uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com].
(2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x0020): [RID#2] Unknown entry type, no objectClasses found!
/var/log/secure
Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth): authentication failure; logname=dummy uid=0 euid=0 tty= ruser= rhost= user=hogehoge
Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth): received for user hogehoge: 4 (System error)
--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--_______________________________________________sssd-users mailing list -- sssd-users@lists.fedorahosted.orgTo unsubscribe send an email to sssd-users-leave@lists.fedorahosted.orgFedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelinesList Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.orgDo not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue