Hi, i have a short question about how ldap lookups are done and if it is possible to modify them. At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
If a user tries to login with his username (ex. jsmith) or by getent command (getent passwd jsmith), sssd creates a ldap query with "uid=username".
I found this in the logs: [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
ldapsearch for this user (jsmith) [...] uid: jsmith description: 2560 givenName: John objectClass: organizationalPerson objectClass: person objectClass: posixAccount objectClass: inetOrgPerson objectClass: top cn: johnsmith sn: something_else homeDirectory: /home/jsmith mail: john.smith@domain.tld uidNumber: 54321 gidNumber: 12345 [...]
Is it possible to change the default ldap lookup from sssd, using for example "mail" or "cn" instead of uid ? So the ldap lookup which is created by sssd does not look like this: [(&(uid=jsmith)(objectclass=posixAccount))] It should look like this one: [(&(mail=jsmith)(objectclass=posixAccount))]
Maybe with a conf option lookup_username_attr mail #default uid would to the job.
Of Course this would fail in this situation, but a user could then login with his mailadress( john.smith@domain.tld ) via ssh for example, and get his usuall unixaccount "jsmith"
I don`t want a mapping or rewrite of the uid field. The unixaccount name should still be filled by the uid field from ldap entry.
I tried ldap_user_name = mail but then the unix account names are mapped to the mail attribute.
With a second "Domain Section" a user could use both "login names" to login via ssh. His Unix Account "jsmith" and his mail adress "john.smith@domain.tld".
Maybe someone knows if this is possible or not.
Thanks in advance M.Soysal