Description of problem: sssd-ldap filters out the user. Version-Release number of selected component (if applicable): 1.1.0 How reproducible: A different adventure everytime I try to retrofit an install with sssd. Additional details: See attached logfile.
Created attachment 441999 [details] sssd_LDAP.log with debug_level=9
(Mon Aug 30 18:45:24 2010) [sssd[be[LDAP]]] [sdap_save_user_send] (2): User [jengelh] filtered out! (id out of range) Your user ID or primary GID is out of range. On SSSD 1.1.0, we had set the default for min_id at 1000 (which means that if either your UID or primary GID were less than 1000, you would be filtered out). Newer versions default to using a min_id of 1. Try setting: min_id = 1 in your [domain/LDAP] section in sssd.conf.
Yeah I noticed the default of 1000, which should be ok with my uid. An nss_ldap system returns: # id jengelh uid=2034(jengelh) gid=20(cdrom) groups=20(cdrom)
Please read carefully. You have your primary GID set to 20(cdrom). This is why it is getting filtered out.
I think GID filtering should be separated from the UID filter, like nss_ldap did.
(Indeed, the sssd.conf(5) manpage says about min_id: UID limits for the domain. Nowhere did it mention GID.)
The manpage in newer versions of SSSD has fixed this mistake for some time now. SSSD 1.1.0 is five months old now. As I stated above, the resolution is that by default we are not doing UID/GID filtering in newer SSSD versions.
We are not documenting them separately because we try to think about them (and encourage everybody share out thinking) as values from one unique number space rather than two values from two different value spaces. While it is natural for UNIX to have them separate it becomes a real pain in the mixed environments or multi domain cases so we think the best approach is to have one global number (and namespace) for users and groups.