Re: sssd and ldap config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/09/2010 12:58 PM, Michael Cronenworth wrote:
> Stephen Gallagher wrote:
>> Michael, please post your [sanitized] sssd.conf somewhere. Right now, my
>> best guess would be that you are using LDAPS or LDAP+TLS and are having
>> a certificate error.
>
> Yes, I don't have a CA cert, so it will not pass a cert test. I have
> "tls_checkpeer no" in my /etc/ldap.conf. Is there something similar for
> sssd? I could not find it in the man pages.
>
> [domain/default]
> auth_provider = ldap
> cache_credentials = True
> ldap_search_base = dc=domain,dc=com
> krb5_realm = EXAMPLE.COM
> chpass_provider = ldap
> id_provider = ldap
> ldap_id_use_start_tls = True
> debug_level = 0
> min_id = 1000
> ldap_uri = ldap://intranet.domain.com/
> krb5_kdcip = kerberos.example.com
> ldap_tls_cacertdir = /etc/openldap/cacerts
>

try ldap_tls_reqcert = never

(or better yet, get a CA cert)

>>
>> My second-best guess is that your users' UID or primary GID is<   1000,
>> which is ignored by SSSD by default. (We've decided upstream that we're
>> going to change this default to 1, as so many people have hit it).
>
> I do have a few>  500 and<  1000 users, but I tested against UIDs of>
> 1000 and getent failed for them as well.

In this case, you probably want to set min_id=500.

Also, as previously stated, primary GID can also cause this (e.g. a user 
with UID=1500, primary GID=17 will still be filtered out if min_id=500)

-- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux