Not sure if it helps with the attribute query use case but perhaps
incorporating attribute=value directives in the base, or user search base
directives:
ldap_user_search_base = ou=users,dc=example,dc=com?onelevel?someAttribute=*
-- lawrence
On Tue, Mar 26, 2019 at 11:45 AM Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (26/03/19 14:21), Martin Hansen wrote:
>Hi,
>
>I'm using sssd with LDAP backend / domain. I wonder if there is a way to
influence the attributes which are queried by sssd? Like not just the
mapping but which attributes are ok to be queried and which attributes
should not? I have some cloud servers which are accessing our internal
directory via slapd (proxy).
>
>I have two questions re this:
>
>1. I use "services: nss,pam", so why is sssd querying sudoers information
via the ldap domain like:
>
>ldap filter used by sssd:
>"(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))"
>
Previously, there was some heuristic when sudo provider was enable
man sssd.conf says:
sudo_provider (string)
The SUDO provider used for the domain. Supported SUDO providers
are:
“ldap” for rules stored in LDAP. See sssd-ldap(5) for more
information on configuring LDAP.
“ipa” the same as “ldap” but with IPA default settings.
“ad” the same as “ldap” but with AD default settings.
“none” disables SUDO explicitly.
Default: The value of “id_provider” is used if it is set.
The detailed instructions for configuration of sudo_provider
are in
the manual page sssd-sudo(5). There are many configuration
options
that can be used to adjust the behavior. Please refer to
"ldap_sudo_*" in sssd-ldap(5).
NOTE: Sudo rules are periodically downloaded in the background
unless the sudo provider is explicitly disabled. Set
sudo_provider
= None to disable all sudo-related activity in SSSD if you do
not
want to use sudo with SSSD at all.
Just disable sudo provider and such queries will be gone.
>2. I as well would like to modify the attributes which are queried by
sssd. I would like sssd NOT to query "userPassword" for example. A lot of
other attributes which are queried are not relevant in my environment as
well e.g. the "krb*" attributes.
>
>ldap attributes queried by sssd:
>objectClass uid userPassword uidNumber gidNumber gecos homeDirectory
loginShell krbPrincipalName cn GroupMembership modifyTimestamp
modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning
shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host rhost loginDisabled
loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary
mail
>
>Is it possible to influence this behavior somehow, I tried
user_attributes in the domain section as well as in the nss section without
success, e.g. "user_attributes = -userPassword".
>
>any help or clarifying words are appreciated, have a great day
krb* realted options should be checked just for `auth_provider = krb5`
You did not share your sssd.conf but you might override some attributes
in sssd.conf (check man page sssd-ldap)
LS
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
--
Lawrence Kearney
e: lawrence.kearney(a)earthlink.net
t: +001 706.951.6257
w:
www.lawrencekearney.com
l:
www.linkedin.com/in/lawrencekearney