Thank you for the explanation. I understand.
2024/04/29 22:45、Sumit Bose <sbose(a)redhat.xn--com>-1e4f10b4csi:
Am Mon, Apr 29, 2024 at 09:12:08PM +0900 schrieb koson823(a)me.com
<mailto:koson823@me.com>:
> Hi,
>
> Thank you for your quick response. Yes, that was the reason. In this regard, let me
allow to add the following question.
>
> Is there any way to remove objectClass from the filter, such as to be (uid=hogehoge)
but not (&(uid=hogehoge)(objectclass=inetOrgPerson)) as in the failure case?
>
> Even though I tried to remove the objectclass filter in sssd.conf, I couldn’t.
> Removing “ldap_user_object_class" statement in [domain/local] automatically
gives the following:
> (&(uid=hogehoge)(objectclass=posixAccount))
> (as mentioned before, posixAccount is not used in the LDAP database.)
> Or, is the declaration of objectclass mandatory in the filter?
> I would greatly appreciate any assistance.
Hi,
SSSD will always use an objectclass in the filter to make sure that
only the expected type of objects are returned.
HTH
bye,
Sumit
>
>> 2024/04/29 19:55、Sumit Bose <sbose(a)redhat.xn--com>-1e4f10b4csi:
>>
>> Hi,
>>
>> my first guess would be that the `uid=search_id` object does not have
>> the permissions to read the `objectClass` attribute from other objects.
>> Please check the ACIs on the LDAP server side for this user.
>>
>> HTH
>>
>> bye,
>> Sumit
>>
>>> This initial search binding works fine and returns the user DN to log in, for
example,
>>> uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com
>>>
>>> However, as shown below, the user (hogehoge) cannot be authenticated.
>>> /var/log/sssd/sssd_local.log
>>> (2024-04-28 21:57:11): [be[local]] [sdap_call_op_callback] (0x20000): [RID#2]
Handling LDAP operation [3][server: [xxx.xx.xx.x:636] filter:
[(&(uid=hogehoge)(objectclass=inetOrgPerson))] base: [ou=Users,dc=example,dc=com]]
took [2.910] milliseconds.
>>> (2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x1000): [RID#2]
OriginalDN: [uid=hogehoge,ou=staff,ou=Users,dc=example,dc=com].
>>> (2024-04-28 21:57:11): [be[local]] [sdap_parse_entry] (0x0020): [RID#2]
Unknown entry type, no objectClasses found!
>>>
>>> /var/log/secure
>>> Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth):
authentication failure; logname=dummy uid=0 euid=0 tty= ruser= rhost= user=hogehoge
>>> Apr 28 21:57:11 server sssctl[1635756]: pam_sss(system-auth:auth): received
for user hogehoge: 4 (System error)
> --
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue