Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 972944
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Version: sssd-1.9.2-82.el6 use the ad provider: id_provider = ad Just adding an ldap filer like this will resulte in a bind error: ldap_access_order = filter, expire ldap_account_expire_policy = ad access_provider = ldap ldap_access_filter = memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=gss (Thu Jun 6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [set_server_common_status] (0x0100): Marking server 'win2k8sp1-64.2k8r2domain.gss' as 'working' (Thu Jun 6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jage e)(objectclass=posixAccount)(memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC= gss))][CN=Jeremy Agee,CN=Users,DC=2k8r2domain,DC=gss]. (Thu Jun 6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 (Thu Jun 6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 (Thu Jun 6 16:08:10 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error Adding the sasl bind works around the bind issue. ldap_sasl_mech = GSSAPI ldap_sasl_authid = RHEL6-2K8-ADPRO$@2K8R2DOMAIN.GSS The use of one of these two settings is also needed so the search works since it defaults to objectclass=posixAccount without them. ldap_schema = ad or ldap_user_object_class = person (Fri Jun 7 14:34:17 2013) [sssd[be[2k8r2domain.gss]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(uid=jage e)(objectclass=posixAccount)(memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC= gss))][CN=Jeremy Agee,CN=Users,DC=2k8r2domain,DC=gss]. Desired config would be allow a filter as a one line addition to the sssd config. id_provider = ad ldap_access_filter = memberOf=CN=sshadmins,OU=groups,DC=2k8r2domain,DC=gss
Need to decide whether the fix would be in code or just documentation.
blockedby: => blocking: => changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => milestone: NEEDS_TRIAGE => SSSD 1.12 beta review: True => 0 selected: => testsupdated: => 0
Leave it for now. It might be improved when we change initialization of the providers.
This is better solved (in my opinion) by implementing the RFE in ticket #1326. Then a chained LDAP access provider could be used where needed.
Fields changed
mark: => 0
So far we documented the behavior. The proper fix would be to support access provider chaining, but that's unlikely to happen. I propose to close.
milestone: SSSD 1.13 beta => SSSD 1.13 backlog review: 0 => 1
priority: major => trivial
Mass-moving tickets not planned for any immediate release and re-setting priority.
milestone: SSSD 1.13 backlog => SSSD Deferred priority: trivial => major
I think this can be closed, we have GPOs and ad_access_filter in the meantime.
sensitive: => 0
resolution: => wontfix status: new => closed
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD Patches welcome
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3019
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.