On 06/09/2010 12:58 PM, Michael Cronenworth wrote: > Stephen Gallagher wrote: >> Michael, please post your [sanitized] sssd.conf somewhere. Right now, my >> best guess would be that you are using LDAPS or LDAP+TLS and are having >> a certificate error. > > Yes, I don't have a CA cert, so it will not pass a cert test. I have > "tls_checkpeer no" in my /etc/ldap.conf. Is there something similar for > sssd? I could not find it in the man pages. > > [domain/default] > auth_provider = ldap > cache_credentials = True > ldap_search_base = dc=domain,dc=com > krb5_realm = EXAMPLE.COM > chpass_provider = ldap > id_provider = ldap > ldap_id_use_start_tls = True > debug_level = 0 > min_id = 1000 > ldap_uri = ldap://intranet.domain.com/ > krb5_kdcip = kerberos.example.com > ldap_tls_cacertdir = /etc/openldap/cacerts > try ldap_tls_reqcert = never (or better yet, get a CA cert) >> >> My second-best guess is that your users' UID or primary GID is< 1000, >> which is ignored by SSSD by default. (We've decided upstream that we're >> going to change this default to 1, as so many people have hit it). > > I do have a few> 500 and< 1000 users, but I tested against UIDs of> > 1000 and getent failed for them as well. In this case, you probably want to set min_id=500. Also, as previously stated, primary GID can also cause this (e.g. a user with UID=1500, primary GID=17 will still be filtered out if min_id=500) -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
