PDA

View Full Version : SLES 12 SP2 SSSD with ldap_id_mapping = False



exploitationwindows
11-Jul-2018, 17:08
Hi,

I'm using SSSD and I want to use uidNumber for my ADusers. To do that I put this line in my sssd.conf :
ldap_id_mapping = False

With this line I want to allow only users that belong to this group to login:
ad_access_filter = (memberOf=CN=ADMINS,OU=Services,DC=AD,DC=EXAMPLE,D C=COM)

My problem is that if a ADUser doesn't have a POSIX Attributes he can not log in.
I can see in logs there is a ldap search command that only search user with uidNumber (POSIX Attributes) :
[sssd[be[ad.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=aduser5932)(objectclass=user)(sAMA ccountName=*)(&(uidNumber=*)(!(uidNumber=0))))][DC=ad,DC=example,DC=com].
[sssd[be[d20.tes.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sssd[be[d20.tes.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
[sssd[be[d20.tes.local]]] [sysdb_search_by_name] (0x0400): No such entry

If I set UNIX Attributes to this account and clear sssd cache, I can log in without problem.

Thanks in advance.

Automatic Reply
16-Jul-2018, 05:30
Exploitationwindows,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
- Open a service request: https://www.suse.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot..

Good luck!

Your SUSE Forums Team
http://forums.suse.com

hangarbait
08-Aug-2018, 15:10
exploitationwindows,
What is described is the expected behavior.

Non-mapped (static)

ldap_id_mapping = false

UID and GID values are stored in Active Directory attributes (uidNumber and gidNumber in LDAP parlance) and read by the daemon when the user or group is referenced. If other standard POSIX attribute values are populated (loginShell, homeDirectory, gecos) they will be read as well.

Mapped (calculated)
ldap_id_mapping = true

UID and GID values are calculated using an algorithm run against Active Directory user and group Security Identifiers (SID) to generate unique UID and GID values. Because the object SIDS do not change these values persist across servers running the SSSD.

Whether to use mapped or non-mapped UID/GID values is a design choice you want to make at the front side of deployments. As soon as file systems are involved (as UID and GID vaues are written to them) swapping modes is not a trivial undertaking.


Hoping to have helped,


-- lawrence