On Wed, Jul 10, 2013 at 10:08:23PM -0400, Simo Sorce wrote:
On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote:
> On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote:
> > Hi,
> > i have a short question about how ldap lookups are done
> > and if it is possible to modify them.
> > At the moment i have a sssd(1.9.2) up and running fine with a ldapserver.
> >
> > If a user tries to login with his username (ex. jsmith)
> > or by getent command (getent passwd jsmith),
> > sssd creates a ldap query with "uid=username".
> >
> > I found this in the logs:
> > [sssd[be[default]]] [sdap_get_generic_ext_step] (0x0400): calling
> > ldap_search_ext with [(&(uid=jsmith)(objectclass=posixAccount))] ...
> >
> > ldapsearch for this user (jsmith)
> > [...]
> > uid: jsmith
> > description: 2560
> > givenName: John
> > objectClass: organizationalPerson
> > objectClass: person
> > objectClass: posixAccount
> > objectClass: inetOrgPerson
> > objectClass: top
> > cn: johnsmith
> > sn: something_else
> > homeDirectory: /home/jsmith
> > mail: john.smith(a)domain.tld
> > uidNumber: 54321
> > gidNumber: 12345
> > [...]
> >
> > Is it possible to change the default ldap lookup from sssd, using for
> > example "mail" or "cn" instead of uid ?
> > So the ldap lookup which is created by sssd does not look like this:
> > [(&(uid=jsmith)(objectclass=posixAccount))]
> > It should look like this one:
> > [(&(mail=jsmith)(objectclass=posixAccount))]
> >
> > Maybe with a conf option
> > lookup_username_attr mail
> > #default uid
> > would to the job.
> >
> > Of Course this would fail in this situation, but a user could then login
> > with his mailadress( john.smith(a)domain.tld )
> > via ssh for example, and get his usuall unixaccount "jsmith"
> >
> > I don`t want a mapping or rewrite of the uid field.
> > The unixaccount name should still be filled by the uid field from ldap
> > entry.
> >
> > I tried
> > ldap_user_name = mail
> > but then the unix account names are mapped to the mail attribute.
> >
> > With a second "Domain Section" a user could use both "login
names" to login
> > via ssh.
> > His Unix Account "jsmith" and his mail adress
"john.smith(a)domain.tld".
> >
> >
> > Maybe someone knows if this is possible or not.
It's not possible atm, but you could open a RFE against sssd to
implement it. We had request to 'login by email' before.
Right, feel free to open a RFE.
> > Thanks in advance
> > M.Soysal
>
> Hi Mehmet,
>
> I can only think about one approach - as attributes in LDAP are
> multivalued, you could create additional "uid" attribute value that
> would contain the e-mail as well.
>
> Here is how the SSSD behaves wrt name attributes:
> 1) if there is a single attribute value, just use it.
> 2) if the attribute is multivalued
> 2a) If the RDN value corresponds to one of the attribute values,
> use it as the primary name and the others as "aliases".
> 2b) If the RDN value doesn't match to any of name values, pick
> the first one.
> 3) Lookups match both name and alias
>
> So if you had a multivalued "uid" attribute that would contain both the
name
> (uid=joe) and the e-mail (uid=joe(a)example.com) the name would be present
> in RDN (uid=joe,ou=users,dc=example,dc=com) then SSSD would store "joe"
> as the primary name, joe(a)example.com as the alias and the NSS responder
> would match on both "joe" and "joe(a)xample.com".
I think this would cause you to get entries with multivalued RDNs
No, it works correctly, I actually tested it.
The user entry on the server looked like this (simplified):
dn: uid=foo,cn=users,cn=accounts,dc=ipa,dc=example,dc=com
uid: foo
uid: foobar
On the client, both "getent passwd foo" and "getent passwd
foobar" worked. The entry in cache looked like this:
dn: name=foo,cn=users,cn=ipa.example.com,cn=sysdb
name: foo
nameAlias: foobar
The catch I ran into is that the default FQDN format is the same as
e-mail format..
> I can't think of a way that would not require changes on the server
> side, sorry.
There is a way that would require changes in SSSD :-)
Simo.
Sure, but I assumed that changing an entry on the server is an easier way
for the user than waiting on unreleased code.