On Tue, Oct 5, 2010 at 12:29 PM, Stephen Gallagher <sgallagh@redhat.com> wrote:
Hash: SHA1

On 10/05/2010 06:09 AM, Patrick Grieshaber wrote:
> On Tue, Oct 5, 2010 at 11:47 AM, Jakub Hrozek <jhrozek@redhat.com
> <mailto:jhrozek@redhat.com>> wrote:
> On 10/05/2010 09:37 AM, Patrick Grieshaber wrote:
>> ldap_user_uid_number = sAMAccountName
>> ldap_user_gid_number = sAMAccountName
>> ldap_user_uuid = sAMAccountName
> Looking at the debug log, the user object could not be saved due to
> missing UID number. Using sAMAccountName does not sound like the best
> attribute to me, though..I think that with 2008, there was no need to
> fine-tune the UID/GID attributes and just go with the defaults.
>> I totally agree.. but with the config above plus this mods:
>> #ldap_user_principal = userPrincipalName
>> #ldap_user_uid_number = sAMAccountName
>> #ldap_user_gid_number = sAMAccountName
>> #ldap_user_uuid = sAMAccountName
>> #ldap_user_fullname = displayName
>> ... i receive the exact same debug output (--> no uid found). The reason
>> why i've set sAMAccountName as uid is because the value of this field is
>> always a unique employee _number_ in our active directory. It is strange
>> that the ldap entry about myuser is found, but the uid mapping is such a
>> problem... any other suggestion? Tried this for a couple of hours...
>        Jakub

Please make sure that your Active Directory server has Subsystem for
UNIX-based Applications (SUA) installed on it. This is necessary for
support of POSIX clients like SSSD.

On Active Directory 2008 with SUA installed, you should not need to set
any of the ldap_user_* options in sssd.conf, as Active Directory's POSIX
compatibility layer should be providing the standard values.

If possible, could you also send the complete LDIF (sanitized as needed)
for one example entry in your Active Directory server, so we can see
what attributes it DOES have, and try to work from there?

The ldapsearch command line tool can be used for this.

Thank you very much for the SUA hint. The auth works now :-).

But still ldap_schema = rfc2307bis was not enough information.
I had to adjust:
- ldap_user_name = sAMAccountName
- ldap_user_object_class = person
- ldap_user_uid_number = uSNCreated
- ldap_user_gid_number = logonCount

I want a unique uid (by default it takes the value of the attribute userAccountControll - not unique!). uSNCreated is a unique attribute value in AD. Unforunately sssd auth does not work if ldap_user_gid_number has the same attribute as value as ldap_user_uid_number.. I am still looking for a sensual attribute.

- --
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

sssd-devel mailing list

Patrick Grieshaber
Mobile: +41 (0)79 215 63 79
Xing:   xing.com/profile/Patrick_Grieshaber
Skype:  patrickgrieshaber

GPG Key Fingerprint
0252 0C05 410E C345
1AC7 7530 98ED B18E
62CB CF04