RE: sssd and ldap_user_search_base

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I’ve discovered through more experimentation and some source code examples that this syntax works:

 

sssd.conf:

 

ldap_user_search_base, ou=ldapusers1,dc=mydomain,dc=net, ou=ldapusers2,dc=mydomain,dc=net, dc=ldapusers3,dc=mydomain,dc=net

 

Same syntax seems to work for ldap_group_search_base…..

 

But the question is if this is valid syntax, where is the documentation to show how to use it ?

 

And why the unconventional syntax ?

 

Al

 

 

From: users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Licause, Al
Sent: Wednesday, June 22, 2011 10:32 AM
To: users@xxxxxxxxxxxxxxxxxxxxxxx
Subject: RE: sssd and ldap_user_search_base

 

I have a customer that is attempting to authenticate users from an ldap server with

various unix and linux clients.    They are having difficulty getting their method

to work with their Red Hat V6.0 ldap clients running sssd-1.2.1-28.el6_0.4.x86_64

and sssd-client-1.2.1-28.el6_0.4.x86_64.

 

They have split their users into three different branches of the ldap database

and done something similar with their user groups.   

 

In an attempt to control who can login to various systems, they configure their

clients to use two of three branches.   So for example client1 is configured to

use ldapusers1 and ldapusers2 while client2 can use ldapusers2 and ldapusers3.

 

If the client is allowed to search the entire database the will find account

duplications and will allow the wrong users to authenticate.

 

This is an example of what we have tried in the sssd.conf file:

 

ldap_search_base = dc=osn,dc=mydomain,dc=net

 

# ldap_user_search_base ou=ldapusers1,dc=mydomain,dc=net,ou=ldapusers2,dc=mydomain,dc=net,ou=ldapusers3,dc=mydomain,dc=net

 

#ldap_user_search_base = ou=ldapusers1,dc=mydomain,dc=net

#ldap_user_search_base = ou=ldapusers2,dc=mydomain,dc=net

#ldap_user_search_base = ou=ldapusers3,dc=mydomain,dc=net

 

#ldap_group_search_base = ou=Groups,dc=mydomain,dc=net

#ldap_group_search_base = ou=LdapGroup,dc=mydomain,dc=net

#ldap_group_search_base = ou=TestGroup,dc=mydomain,dc=net

 

 

If we use the first example in which all three branches are assigned on one line, we usually get

nothing....."can't find the user".

 

If we use any of the currently commmented examples where the symbol ldap_user_search_base is

given more than once, we only see the last one defined.

 

So the question is, is this sort of configuration possible or is something broken ?

 

 

Al Licause

HP Customer  Support Center

 

 

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux