Re: [SSSD-users] Question about ldap lookup

On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote: > On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote: > > Hi, > > i have a short question about how ldap lookups are done > > and if it is possible to modify them. > > At the moment i have a sssd(1.9.2) up and running fine with a ldapserver. > > > > If a user tries to login with his username (ex. jsmith) > > or by getent command (getent passwd jsmith), > > sssd creates a ldap query with "uid=username". > > > > I found this in the logs: > > [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling > > ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ... > > > > ldapsearch for this user (jsmith) > > [...] > > uid: jsmith > > description: 2560 > > givenName: John > > objectClass: organizationalPerson > > objectClass: person > > objectClass: posixAccount > > objectClass: inetOrgPerson > > objectClass: top > > cn: johnsmith > > sn: something_else > > homeDirectory: /home/jsmith > > mail: john.smith(a)domain.tld > > uidNumber: 54321 > > gidNumber: 12345 > > [...] > > > > Is it possible to change the default ldap lookup from sssd, using for > > example "mail" or "cn" instead of uid ? > > So the ldap lookup which is created by sssd does not look like this: > > [(&(uid=jsmith)(objectclass=posixAccount))] > > It should look like this one: > > [(&(mail=jsmith)(objectclass=posixAccount))] > > > > Maybe with a conf option > > lookup_username_attr mail > > #default uid > > would to the job. > > > > Of Course this would fail in this situation, but a user could then login > > with his mailadress( john.smith(a)domain.tld ) > > via ssh for example, and get his usuall unixaccount "jsmith" > > > > I don`t want a mapping or rewrite of the uid field. > > The unixaccount name should still be filled by the uid field from ldap > > entry. > > > > I tried > > ldap_user_name = mail > > but then the unix account names are mapped to the mail attribute. > > > > With a second "Domain Section" a user could use both "login names" to login > > via ssh. > > His Unix Account "jsmith" and his mail adress "john.smith(a)domain.tld". > > > > > > Maybe someone knows if this is possible or not. It's not possible atm, but you could open a RFE against sssd to implement it. We had request to 'login by email' before.

> > Thanks in advance > > M.Soysal > > Hi Mehmet, > > I can only think about one approach - as attributes in LDAP are > multivalued, you could create additional "uid" attribute value that > would contain the e-mail as well. > > Here is how the SSSD behaves wrt name attributes: > 1) if there is a single attribute value, just use it. > 2) if the attribute is multivalued > 2a) If the RDN value corresponds to one of the attribute values, > use it as the primary name and the others as "aliases". > 2b) If the RDN value doesn't match to any of name values, pick > the first one. > 3) Lookups match both name and alias > > So if you had a multivalued "uid" attribute that would contain both the name > (uid=joe) and the e-mail (uid=joe(a)example.com) the name would be present > in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe" > as the primary name, joe(a)example.com as the alias and the NSS responder > would match on both "joe" and "joe(a)xample.com". I think this would cause you to get entries with multivalued RDNs

> I can't think of a way that would not require changes on the server > side, sorry. There is a way that would require changes in SSSD :-) Simo.