Tory,
Some of the directives specified seem unnecessary. For example since you're using a ldaps URI there's no need to implement TLS directives, and since the LDAP backend is AD many of the attribute mappings are likely unnecessary as well unless there's something we don't understand at play. Perhaps simplify the config first.

I would try the following and test.

# ldap_id_use_start_tls = true
# ldap_service_port = 636
ldap_tls_reqcert = allow
ldap_force_upper_case_realm = true
ldap_uri = ldaps://aadds.com
ldap_search_base = dc=aadds,dc=com
# ldap_user_object_class = posixAccount
ldap_default_bind_dn = aadds\sssd
ldap_default_authtok_type = password
ldap_default_authtok = somearbitrarycrap
ldap_tls_cacertdir = /etc/openldap/cacerts


# Unix to AD attribute mapping
ldap_schema = ad
# ldap_schema = rfc2307
# ldap_user_object_class = person
# ldap_group_object_class = group
# ldap_user_home_directory = unixHomeDirectory

# ldap_user_modify_timestamp = whenChanged
# ldap_user_principal = userPrincipalName
# ldap_user_name = sAMAccountName
# ldap_user_gecos = displayName
# ldap_user_uid_number = uidNumber
# ldap_user_gid_number = gidNumber
# ldap_user_shell = loginShell
# ldap_group_name = uniqueMember

-- lawrence

On Thu, Oct 22, 2020, 2:54 AM Tory M Blue <tmblue@gmail.com> wrote:
I've got SSSD working local via AD for unix account authentication, however we are joining a new mother ship and we are not on their LAN and thus don't have access to their AD network.

They setup an LDAPS configuration and while I can query it via ldapsearch, I can't get sssd to find anything. getent nor id return anything, but   I see the requests in the sssd_domain.log. I'm sure I'm tripping up trying to refactor my AD config to work in the new LDAPs environment.

I understand my ldapsearch is doing a full blown query list and obviously if I give it a filter of my user for example, I get all my data (sssd doesn't need all that data but i need something).

I've spent a week banging my head and searching and trying different examples and really failing :)

So any assistance would be appreciated. I've tried the  search, trial and error, read and figured I've exhausted my understanding and exhausted my attempts at copying others configurations and now I'm just running in circles.

Thanks in advance.

So basic data:

CentOS 7 
sssd 1.16.4
LDAPS endpoint on a windows AD domain.

sssd.conf

[domain/LDAP]

# Return debug level to 0 once working
debug_level = 9

default_domain_suffix = aads.com
enumerate = false
cache_credentials = false
id_provider = ldap
auth_provider = ldap
#access_provider = ldap
sudo_provider = ldap
chpass_provider = ldap

# timing config
entry_cache_timeout = 10
# entry_cache_nowait_timeout = 10
# entry_cache_nowait_percentage = 10

#use_fully_qualified_names = true
ldap_id_use_start_tls = true
ldap_service_port = 636
ldap_tls_reqcert = allow
ldap_force_upper_case_realm = true
ldap_uri = ldaps://aadds.com
ldap_search_base = dc=aadds,dc=com
ldap_user_object_class = posixAccount
ldap_default_bind_dn = aadds\sssd
ldap_default_authtok_type = password
ldap_default_authtok = somearbitrarycrap
ldap_tls_cacertdir = /etc/openldap/cacerts


# Unix to AD attribute mapping
ldap_schema = rfc2307bis
#ldap_schema = rfc2307
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory

ldap_user_modify_timestamp = whenChanged
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_user_gecos = displayName
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_shell = loginShell
ldap_group_name = uniqueMember

Some data has been secured.

#>  ldapsearch -v  -x  -D AADDS\\sssd -b "dc=aadds,dc=com" -H ldaps://aadds.com -W "(cn=tory blue)"
ldap_initialize( ldaps://aadds.com:636/??base )
Enter LDAP Password:
filter: (cn=tory blue)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=aadds,dc=com> with scope subtree
# filter: (cn=tory blue)
# requesting: ALL
#

# Tory Blue, AA Users, aadds.com
<bunch of data pertaining to my user deleted>

#> id tory.blue@aads.com
#> id tory.blue
#>

sssd debug:

Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=tory.blue@aadds.com]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): DP Request [Account #8]: New request. Flags [0x0001].
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_attach_req] (0x0400): Number of active DP request: 1
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sss_domain_get_state] (0x1000): Domain LDAP is Active
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [dc=aadds,dc=com]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_print_server] (0x2000): Searching SECURED:636
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(|(userPrincipalName=tory.blue@aadds.com)(mail=tory.blue@aadds.com))(objectclass=person)(sAMAccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][dc=aadds,dc=com].
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uidNumber]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [gidNumber]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [displayName]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [unixHomeDirectory]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginShell]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPrincipalName]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [cn]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [memberOf]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [whenChanged]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [uSNChanged]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowLastChange]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMin]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowMax]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowWarning]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowInactive]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowExpire]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [shadowFlag]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbLastPwdChange]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [krbPasswordExpiration]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [pwdAttribute]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [authorizedService]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [accountExpires]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userAccountControl]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [nsAccountLock]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [host]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [rhost]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginDisabled]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginExpirationTime]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [loginAllowedTimeMap]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userCertificate;binary]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [mail]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 18
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_add] (0x2000): New operation 18 timeout 6
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldaps://aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[0x562321d75590], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_op_destructor] (0x2000): Operation 18 finished
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000): Request included referrals which were ignored.
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000):     Ref: ldaps://ForestDnsZones.aadds.com/DC=ForestDnsZones,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000):     Ref: ldaps://DomainDnsZones.aadds.com/DC=DomainDnsZones,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000):     Ref: ldaps://aadds.com/CN=Configuration,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [generic_ext_search_handler] (0x4000):     Ref: ldaps://aadds.com/CN=Schema,CN=Configuration,DC=aadds,DC=com
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_search_user_process] (0x2000): Retrieved total 0 users
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d71d00

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321d71dd0

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d71d00 "ltdb_callback"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71dd0 "ltdb_timeout"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d71d00 "ltdb_callback"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_search_by_name] (0x0400): No such entry
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): Search groups with filter: (&(objectCategory=group)(ghost=tory.blue@aadds.com))
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x562321d711a0

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x562321c1c0e0

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Running timer event 0x562321d711a0 "ltdb_callback"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321c1c0e0 "ltdb_timeout"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying timer event 0x562321d711a0 "ltdb_callback"

(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_cache_search_groups] (0x2000): No such entry
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sysdb_delete_user] (0x0400): Error: 2 (No such file or directory)
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_done] (0x0400): DP Request [Account #8]: Request handler finished [0]: Success
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [_dp_req_recv] (0x0400): DP Request [Account #8]: Receiving request data.
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_list_success] (0x0400): DP Request [Account #8]: Finished. Success.
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_reply_std] (0x1000): DP Request [Account #8]: Returning [Success]: 0,0,Success
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_table_value_destructor] (0x0400): Removing [0:1:0x0001:1:U:LDAP:name=tory.blue@aadds.com] from reply table
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): DP Request [Account #8]: Request removed.
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [dp_req_destructor] (0x0400): Number of active DP request: 0
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: sh[0x562321c0f030], connected[1], ops[(nil)], ldap[0x562321bf7400]
(Wed Oct 21 23:37:42 2020) [sssd[be[LDAP]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org