On Thu, Oct 22, 2020 at 1:30 AM Lawrence Kearney <hangarbait@gmail.com> wrote:

Tory,
Some of the directives specified seem unnecessary. For example since you're using a ldaps URI there's no need to implement TLS directives, and since the LDAP backend is AD many of the attribute mappings are likely unnecessary as well unless there's something we don't understand at play. Perhaps simplify the config first.

I would try the following and test.

# ldap_id_use_start_tls = true
# ldap_service_port = 636
ldap_tls_reqcert = allow
ldap_force_upper_case_realm = true
ldap_uri = ldaps://aadds.com
ldap_search_base = dc=aadds,dc=com
# ldap_user_object_class = posixAccount
ldap_default_bind_dn = aadds\sssd
ldap_default_authtok_type = password
ldap_default_authtok = somearbitrarycrap
ldap_tls_cacertdir = /etc/openldap/cacerts

# Unix to AD attribute mapping
ldap_schema = ad
# ldap_schema = rfc2307
# ldap_user_object_class = person
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory

# ldap_user_modify_timestamp = whenChanged
# ldap_user_principal = userPrincipalName
# ldap_user_name = sAMAccountName
# ldap_user_gecos = displayName
# ldap_user_uid_number = uidNumber
# ldap_user_gid_number = gidNumber
# ldap_user_shell = loginShell
# ldap_group_name = uniqueMember

-- lawrence

Thanks Lawrence, so same results, but def means I didn't need as much stuff as I had in there. I'm still able to get into the LDAP server but not getting any results.

Not sure if this error is telling, or generic/normal ?

(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): dbus conn: 0x55791e6f7000
(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_dispatch] (0x4000): Dispatching.
(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.dataprovider.getAccountInfo on path /org/freedesktop/sssd/dataprovider

(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit

Also is this saying that it's not able to find the user and thus falls back to looking for the group or is this a sign of an issue?

(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] (0x0400): No such entry

(Thu Oct 22 11:28:36 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=tory.blue@aadds.com))

Thanks again

-Tory