sssd and ldap_user_search_base

Licause, Al licause at hp.com
Wed Jun 22 15:17:46 UTC 2011 

I've discovered through more experimentation and some source code examples that this syntax works:

sssd.conf:

ldap_user_search_base, ou=ldapusers1,dc=mydomain,dc=net, ou=ldapusers2,dc=mydomain,dc=net, dc=ldapusers3,dc=mydomain,dc=net

Same syntax seems to work for ldap_group_search_base.....

But the question is if this is valid syntax, where is the documentation to show how to use it ?

And why the unconventional syntax ?

Al


From: users-bounces at lists.fedoraproject.org [mailto:users-bounces at lists.fedoraproject.org] On Behalf Of Licause, Al
Sent: Wednesday, June 22, 2011 10:32 AM
To: users at lists.fedoraproject.org
Subject: RE: sssd and ldap_user_search_base

I have a customer that is attempting to authenticate users from an ldap server with
various unix and linux clients.    They are having difficulty getting their method
to work with their Red Hat V6.0 ldap clients running sssd-1.2.1-28.el6_0.4.x86_64
and sssd-client-1.2.1-28.el6_0.4.x86_64.

They have split their users into three different branches of the ldap database
and done something similar with their user groups.

In an attempt to control who can login to various systems, they configure their
clients to use two of three branches.   So for example client1 is configured to
use ldapusers1 and ldapusers2 while client2 can use ldapusers2 and ldapusers3.

If the client is allowed to search the entire database the will find account
duplications and will allow the wrong users to authenticate.

This is an example of what we have tried in the sssd.conf file:

ldap_search_base = dc=osn,dc=mydomain,dc=net

# ldap_user_search_base ou=ldapusers1,dc=mydomain,dc=net,ou=ldapusers2,dc=mydomain,dc=net,ou=ldapusers3,dc=mydomain,dc=net

#ldap_user_search_base = ou=ldapusers1,dc=mydomain,dc=net
#ldap_user_search_base = ou=ldapusers2,dc=mydomain,dc=net
#ldap_user_search_base = ou=ldapusers3,dc=mydomain,dc=net

#ldap_group_search_base = ou=Groups,dc=mydomain,dc=net
#ldap_group_search_base = ou=LdapGroup,dc=mydomain,dc=net
#ldap_group_search_base = ou=TestGroup,dc=mydomain,dc=net


If we use the first example in which all three branches are assigned on one line, we usually get
nothing....."can't find the user".

If we use any of the currently commmented examples where the symbol ldap_user_search_base is
given more than once, we only see the last one defined.

So the question is, is this sort of configuration possible or is something broken ?


Al Licause
HP Customer  Support Center


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20110622/a9ca7be5/attachment.html

More information about the users mailing list