Hello,
I am trying to use sssd in our environment where unfortunately we have a
broken ldap implementation with no options to fix it.
We have an openldap implementation where our 'uid' field can contain
many attributes, some containing a 'uid' and others containing
'uid@functional-unit'. Some users have in their ldap account a single
'uid@functional-unit' whereas others have 'uid' and potentially many
'uid@functional-unit'.
sssd does the right thing for most cases with multiple attributes; just
providing the first returned attribute (which is 'uid'). However I am
experiencing problems with users that have only a 'uid@functional-unit'
entry.
I want to configure sssd so that both 'uid' and 'uid@functional-unit'
are represented from sssd as 'uid'
Please see below for some examples of what i'm talking about and my
current configuration.
[~]$ getent passwd user1
user1:*:90001:20010:user1:/home/user1:/bin/bash
[~]$ getent passwd |grep user2
user2@functional-unit:*:85010:20010:user2:/home/user2@functional-unit:/bin/bash
[~]$
Note: I can't do a 'getent passwd user2' or 'getent passwd
user2@functional-unit' - neither options work.
I want to be able to 'getent passwd user2' and see no reference of the
'functional-unit'.
Current sssd config (i'm using sssd-1.9.2-129.el6.x86_64 on RHEL6);
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss
domains = default
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
override_homedir = /home/%u
allowed_shells = /bin/bash
shell_fallback = /bin/bash
[pam]
reconnection_retries = 3
[domain/default]
re_expression =
(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))
debug_level = 2
enumerate = true
cache_credentials = true
use_fully_qualified_names = false
id_provider = ldap
access_provider = ldap
auth_provider = krb5
chpass_provider = none
entry_cache_timeout = 5400
entry_cache_user_timeout = 1800
entry_cache_group_timeout = 5400
min_id = 1000
ldap_uri =
ldap://ldap.example.com
ldap_search_base =
c=com?sub?(&(objectClass=posixAccount)(|(memberOf=group-1)(memberOf=group-2)))
krb5_realm =
EXAMPLE.COM
krb5_server =
example.com
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_ccachedir = /tmp
I have been trying to address this issue with various permutations of
re_expression but seem to be failing miserably. If anyone has any
suggestions it would be most appreciated!
--
Kind regards,
Ben Morrice
______________________________________________________________________
Ben Morrice | e: ben.morrice(a)epfl.ch | t: +41-21-693-9670
EPFL - Quartier de l’innovation, Bât. J, 3ème étage, CH-1015 Lausanne, SWITZERLAND