sssd and ldap config
Stephen Gallagher
sgallagh at redhat.com
Wed Jun 9 18:22:15 UTC 2010
On 06/09/2010 12:58 PM, Michael Cronenworth wrote:
> Stephen Gallagher wrote:
>> Michael, please post your [sanitized] sssd.conf somewhere. Right now, my
>> best guess would be that you are using LDAPS or LDAP+TLS and are having
>> a certificate error.
>
> Yes, I don't have a CA cert, so it will not pass a cert test. I have
> "tls_checkpeer no" in my /etc/ldap.conf. Is there something similar for
> sssd? I could not find it in the man pages.
>
> [domain/default]
> auth_provider = ldap
> cache_credentials = True
> ldap_search_base = dc=domain,dc=com
> krb5_realm = EXAMPLE.COM
> chpass_provider = ldap
> id_provider = ldap
> ldap_id_use_start_tls = True
> debug_level = 0
> min_id = 1000
> ldap_uri = ldap://intranet.domain.com/
> krb5_kdcip = kerberos.example.com
> ldap_tls_cacertdir = /etc/openldap/cacerts
>
try ldap_tls_reqcert = never
(or better yet, get a CA cert)
>>
>> My second-best guess is that your users' UID or primary GID is< 1000,
>> which is ignored by SSSD by default. (We've decided upstream that we're
>> going to change this default to 1, as so many people have hit it).
>
> I do have a few> 500 and< 1000 users, but I tested against UIDs of>
> 1000 and getent failed for them as well.
In this case, you probably want to set min_id=500.
Also, as previously stated, primary GID can also cause this (e.g. a user
with UID=1500, primary GID=17 will still be filtered out if min_id=500)
--
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
More information about the users
mailing list