On Fri, Jan 08, 2021 at 02:15:14PM -0500, Lawrence Kearney wrote:
SSSD team,
Hello! I'm a bit perplexed on how to validate and test data read by the
Dbus/IFP responder. I'd like to better understand the cache aspects and how
to validate that non-default whitelisted attributes are in fact exposed.
I'm using the AD provider against a 2012 R2 back end.
[sssd]
config_file_version = 2
services = nss,pam,pac,ifp
domains =
dvc.darkvixen.com
[nss]
reconnection_retries = 3
filter_users = root,bin,daemon,games,gdm,lp,nobody,openslp,rpc,statd
filter_groups = root,bin,daemon,sys,disk,lp,audio,floppy,cdrom,video,games
[pam]
[pac]
[ifp]
allowed_uids = root,wwwrun,sssd
user_attributes = +mail,+department,+telephoneNumber,-gecos
[
domain/dvc.darkvixen.com]
id_provider = ad
enumerate = false
cache_credentials = true
case_sensitive = false
override_homedir = /home/%u
override_shell = /bin/bash
override_gid = 1727401607
ldap_user_extra_attrs = mail,department,telephoneNumber
Hi,
the tools below only work with default attributes.
Output from sssctl:
# sssctl user-show msteele
Name: msteele
Cache entry creation date: 01/08/21 10:14:35
Cache entry last update time: 01/08/21 14:04:18
Cache entry expiration time: 01/08/21 15:34:18
Initgroups expiration time: 01/08/21 15:34:18
Cached in InfoPipe: No
^^^^^^ 'Cached' here has a special meaning as described in
https://sssd.io/docs/design_pages/dbus_cached_objects.html and is not
related to SSSD's on-disk cache where user and group data is stored.
# sssctl user-checks msteele
user: msteele
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: msteele
- user id: 1727401116
- group id: 1727401607
- gecos: Ming Steele
- home directory: /home/msteele
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: msteele
- uidNumber: 1727401116
- gidNumber: 1727400513
- gecos:
- homeDirectory: /home/msteele
- loginShell: /bin/bash
Here only the default attributes are shown.
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
Should the attributes in fact be cached and displayed?
To check for additional attributes you can e.g. use:
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe
/org/freedesktop/sssd/infopipe org.freedesktop.sssd.infopipe.GetUserAttr
string:"msteele" array:string:mail,department,telephoneNumber
HTH
bye,
Sumit
Packages installed:
# rpm -qa | grep sss
python-sssdconfig-1.16.5-10.el7_9.5.noarch
sssd-client-1.16.5-10.el7_9.5.armv7hl
libsss_autofs-1.16.5-10.el7_9.5.armv7hl
sssd-common-1.16.5-10.el7_9.5.armv7hl
libsss_simpleifp-1.16.5-10.el7_9.5.armv7hl
sssd-ad-1.16.5-10.el7_9.5.armv7hl
libsss_idmap-1.16.5-10.el7_9.5.armv7hl
libsss_certmap-1.16.5-10.el7_9.5.armv7hl
sssd-libwbclient-1.16.5-10.el7_9.5.armv7hl
libsss_sudo-1.16.5-10.el7_9.5.armv7hl
sssd-polkit-rules-1.16.5-10.el7_9.5.armv7hl
sssd-dbus-1.16.5-10.el7_9.5.armv7hl
sssd-common-pac-1.16.5-10.el7_9.5.armv7hl
sssd-tools-1.16.5-10.el7_9.5.armv7hl
sssd-ldap-1.16.5-10.el7_9.5.armv7hl
libsss_nss_idmap-1.16.5-10.el7_9.5.armv7hl
sssd-krb5-common-1.16.5-10.el7_9.5.armv7hl
python-sss-1.16.5-10.el7_9.5.armv7hl
sssd-krb5-1.16.5-10.el7_9.5.armv7hl
-- lawrence
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...