Hi,
I'm hoping someone can help. I am using RHEL 6.1 and trying to use sssd to authenticate to our ldap server.
Our ldap server uses the uid=name@domain as the uid. sssd seems to pass the name part only. Below is the extract from log. This is generated by running getent passwd stefan@lsd.com
Originally I had the issue where the @ part of the search was looking for a specific sssd provider. I changed my domain to lsd.com. This lets me search but as you can see below, passes the filter of uid=stefan and not uid=stefan@lsd.com
Thanks in advance, Stefan
==> slapd trace Dec 5 12:51:58 ecstasy slapd[15262]: conn=1327 op=4 SRCH base="ou=lsd,ou=users,dc=lsd,dc=co,dc=za" scope=2 deref=0 filter="(&(uid=stefan)(objectClass=posixAccount))" Dec 5 12:51:58 ecstasy slapd[15262]: conn=1327 op=4 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock
==> sssd_nss.log <== (Mon Dec 5 12:55:40 2011) [sssd[nss]] [accept_fd_handler] (4): Client connected! (Mon Dec 5 12:55:40 2011) [sssd[nss]] [sss_cmd_get_version] (5): Received client version [1]. (Mon Dec 5 12:55:40 2011) [sssd[nss]] [sss_cmd_get_version] (5): Offered version [1]. (Mon Dec 5 12:55:40 2011) [sssd[nss]] [nss_cmd_getpwnam] (4): Requesting info for [stefan] from [lsd.com] (Mon Dec 5 12:55:40 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (4): Requesting info for [stefan@lsd.com] (Mon Dec 5 12:55:40 2011) [sssd[nss]] [sss_dp_send_acct_req_create] (4): Sending request for [lsd.com][4097][1][name=stefan]
==> sssd_lsd.com.log <== (Mon Dec 5 12:55:40 2011) [sssd[be[lsd.com]]] [be_get_account_info] (4): Got request for [4097][1][name=stefan] (Mon Dec 5 12:55:40 2011) [sssd[be[lsd.com]]] [acctinfo_callback] (4): Request processed. Returned 0,0,Success
==> sssd_nss.log <== (Mon Dec 5 12:55:40 2011) [sssd[nss]] [sss_dp_get_reply] (4): Got reply (0, 0, Success) from Data Provider (Mon Dec 5 12:55:40 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (4): Requesting info for [stefan@lsd.com]
==> sssd_lsd.com.log <==
==> sssd_nss.log <== (Mon Dec 5 12:55:40 2011) [sssd[nss]] [nss_cmd_getpwnam_search] (2): No results for getpwnam call (Mon Dec 5 12:55:40 2011) [sssd[nss]] [client_recv] (5): Client disconnected!
Hi,
I'm hoping someone can help. I am using RHEL 6.1 and trying to use sssd to authenticate to our ldap server.
Our ldap server uses the uid=name@domain as the uid. sssd seems to pass the name part only. Below is the extract from log. This is generated by running getent passwd stefan@lsd.com
Originally I had the issue where the @ part of the search was looking for a specific sssd provider. I changed my domain to lsd.com. This lets me search but as you can see below, passes the filter of uid=stefan and not uid=stefan@lsd.com
Thanks in advance, Stefan
Hi Stefan, as I suggested to you on our IRC channel, I still think you should try setting re_expression in the config file so it doesn't translate the part after @ to a domain name. This is what it could look like (not sure though, I don't have a setup which I can test this on):
(?P<name>+$)
Please try that and let us know.
Jan
On Mon, Dec 05, 2011 at 12:37:35PM +0100, Jan Zelený wrote:
Hi,
I'm hoping someone can help. I am using RHEL 6.1 and trying to use sssd to authenticate to our ldap server.
Our ldap server uses the uid=name@domain as the uid. sssd seems to pass the name part only. Below is the extract from log. This is generated by running getent passwd stefan@lsd.com
Originally I had the issue where the @ part of the search was looking for a specific sssd provider. I changed my domain to lsd.com. This lets me search but as you can see below, passes the filter of uid=stefan and not uid=stefan@lsd.com
Thanks in advance, Stefan
Hi Stefan, as I suggested to you on our IRC channel, I still think you should try setting re_expression in the config file so it doesn't translate the part after @ to a domain name. This is what it could look like (not sure though, I don't have a setup which I can test this on):
(?P<name>+$)
Please try that and let us know.
Jan
You can just fine-tune the re_expression so it uses a different character for name-domain delimeter. This would use the "~" sign:
re_expression = (?P<name>[^~]+)~?(?P<domain>[^~]*$)
On Mon, Dec 05, 2011 at 12:37:35PM +0100, Jan Zelený wrote:
Hi,
I'm hoping someone can help. I am using RHEL 6.1 and trying to use sssd to authenticate to our ldap server.
Our ldap server uses the uid=name@domain as the uid. sssd seems to pass the name part only. Below is the extract from log. This is generated by running getent passwd stefan@lsd.com
Originally I had the issue where the @ part of the search was looking for a specific sssd provider. I changed my domain to lsd.com. This lets me search but as you can see below, passes the filter of uid=stefan and not uid=stefan@lsd.com
Thanks in advance, Stefan
Hi Stefan, as I suggested to you on our IRC channel, I still think you should try setting re_expression in the config file so it doesn't translate the part after @ to a domain name. This is what it could look like (not sure though, I don't have a setup which I can test this on):
(?P<name>+$)
Please try that and let us know.
Jan
You can just fine-tune the re_expression so it uses a different character for name-domain delimeter. This would use the "~" sign:
re_expression = (?P<name>[^~]+)~?(?P<domain>[^~]*$)
Thanks Jan, Jakub
I got it working by changing the re_expression as above. I guess this would be a common request and this above re would be good in the manual somewhere. I also discovered I need SSL / TLS for auth, so now im fixing that.
Regards, Stefan
On Tue, Dec 06, 2011 at 09:05:07AM +0200, Stefan Lesicnik wrote:
On Mon, Dec 05, 2011 at 12:37:35PM +0100, Jan Zelený wrote:
Hi,
I'm hoping someone can help. I am using RHEL 6.1 and trying to use sssd to authenticate to our ldap server.
Our ldap server uses the uid=name@domain as the uid. sssd seems to pass the name part only. Below is the extract from log. This is generated by running getent passwd stefan@lsd.com
Originally I had the issue where the @ part of the search was looking for a specific sssd provider. I changed my domain to lsd.com. This lets me search but as you can see below, passes the filter of uid=stefan and not uid=stefan@lsd.com
Thanks in advance, Stefan
Hi Stefan, as I suggested to you on our IRC channel, I still think you should try setting re_expression in the config file so it doesn't translate the part after @ to a domain name. This is what it could look like (not sure though, I don't have a setup which I can test this on):
(?P<name>+$)
Please try that and let us know.
Jan
You can just fine-tune the re_expression so it uses a different character for name-domain delimeter. This would use the "~" sign:
re_expression = (?P<name>[^~]+)~?(?P<domain>[^~]*$)
Thanks Jan, Jakub
I got it working by changing the re_expression as above. I guess this would be a common request and this above re would be good in the manual somewhere.
The parameter is documented in sssd.conf(5) manual page. Do you feel that an example of a custom regex would be prudent?
I also discovered I need SSL / TLS for auth, so now im fixing that.
Yes, SSSD will not send passwords over unencrypted connection. Don't hesitate to ask if you run into trouble.
sssd-devel@lists.fedorahosted.org