Hide Forgot
Description of problem: Customer has been trying to implement sssd with LDAP trees. Documentation for search, user, group bases has been a struggle since some options are poorly documented or hard to find both in doc.redhat.com and man pages. Version-Release number of selected component (if applicable): sssd-1.2.1-28.el6_0.4.x86_64 How reproducible: always Steps to Reproduce: 1. read the documentation. 2. 3. Actual results: hard to configure Expected results: easy to understand how to configure. Additional info: customer's notes & comments. ================================================================== There is no man page for pam_ldap.conf at all. I suspect it has its own form but it appears pretty much like ldap.conf or nslcd.conf. The file /etc/pam_ldap.conf is mentioned in several places, e.g. http://rpmfind.net/linux/RPM/fedora/14/i386/pam_ldap-185-5.fc14.i686.html * Fri Jan 08 2010 Nalin Dahyabhai <nalin> 185-1 - split out pam_ldap as a separate source package, update URL, change %{version} to reflect pam_ldap's versioning rather than nss_ldap's - set config file to /etc/pam_ldap.conf, rootbindpw file /etc/pam_ldap.secret and in our experiments we needed it to make pam-ldap work when using nonstandard ldap port. It is particulary critical when using non-standard ldap ports (389, 636). It does not appear that pam_ldap.conf is auto configured by any utility. Therefore it must be correct with at a minimun, the URI value and they must match that of the sssd.conf or nslcd.conf URI values. We have found that if the sssd.conf or nslcd.conf files use a non-standard ldap port and the pam_ldap.conf file uses the same ldap server ip address but uses a standard port, i.e. one that differs from either sssd.conf or nslcd.conf, then user authentication for ssh and telnet, and perhap other utilities will not authenticate. The result is that pam_ldap sends it's data on the standard ldap port ( the one configured in the URI line of the pam_ldap.conf file) and each transmission to the ldap server is rejected with a RST. If pam_ldap was modified to look for and use values in nslcd.conf or sssd.conf, it would avoid this confusion. Specific to sssd.conf: sssd-ldap: ldap_user_search_base Explain the use of this value when multiple values are declared and the most unusual syntax of seperating the keyword from the first value with a comma. example: ldap_user_search_base, ou = ldapusers3,dc=osn,dc=cxo,dc=cpqcorp,dc=net, ou=ldapusers2,dc=osn,dc=cxo,dc=cpqcorp,dc=net, ou=ldapusers1,dc=osn,dc=cxo,dc=cpqcorp,dc=net ldap_group_search_base If the syntax is similar to that of the ldap_user_search_base then a similar modification needs to be made. We have yet to determine the full extent of the anamoly of ldap specific values that are ignored unless they are specifically placed in the [domain/LDAP] section. This is particularly important when sssd.conf is generated from the output of authconfig in which new values are place in the [domain/default] section. Some ldap values are accepted in the default domain section and others are ignored. The values for ldap_user_search_base is ignored in the default domain section but accepted in the LDAP domain section. There is little to no syntax checking by sssd on startup. It would be very helpful if syntax was checked and flagged if found to be unacceptable.
(In reply to comment #0) > There is no man page for pam_ldap.conf at all. I suspect it has its > own form but it appears pretty much like ldap.conf or nslcd.conf. The file > /etc/pam_ldap.conf is mentioned in several places, e.g. > pam_ldap has nothing to do with SSSD. They are mutually-exclusive. SSSD provides its own internal LDAP authentication mechanism (via authenticated LDAP bind). > > ldap_user_search_base > Explain the use of this value when multiple values are declared and > the > most unusual syntax of seperating the keyword from the first value > with a comma. > > example: > ldap_user_search_base, ou = > ldapusers3,dc=osn,dc=cxo,dc=cpqcorp,dc=net, > ou=ldapusers2,dc=osn,dc=cxo,dc=cpqcorp,dc=net, > ou=ldapusers1,dc=osn,dc=cxo,dc=cpqcorp,dc=net This option is not multi-valued. Currently, SSSD does not support multiple search bases. The upstream bug https://fedorahosted.org/sssd/ticket/868 is tracking this issue. Also, I don't know where you got that example, but it's completely wrong. All attributes in sssd.conf are name = value > > ldap_group_search_base > If the syntax is similar to that of the ldap_user_search_base then a > similar > modification needs to be made. > This option is similarly not multi-valued. > We have yet to determine the full extent of the anamoly of ldap > specific values that are ignored unless they are specifically placed in the > [domain/LDAP] section. > > This is particularly important when sssd.conf is generated from the > output of authconfig in which new values are place in the [domain/default] > section. > > Some ldap values are accepted in the default domain section and others > are ignored. > The values for ldap_user_search_base is ignored in the default domain > section but accepted in the LDAP domain section. > [domain/default] is misleading, and bz#697644 is meant to address it. In the [sssd] section, there is an option "domains =" which describes which [domain/<domainname>] sections are active, and what order they should resolve. If you are using domains = LDAP then only changes to [domain/LDAP] will have any effect. [domain/default] in this case is disabled. The only reason that some values APPEAR to be ignored in the LDAP section is that for certain attributes (like search bases) if they are unspecified, we will ask the LDAP server's Root DSE to provide them for us. > > There is little to no syntax checking by sssd on startup. It would be > very helpful if syntax was checked and flagged if found to be unacceptable. There are several BZs open to track the addition of syntax validation, but right now it is not yet available. The relevant upstream bug is https://fedorahosted.org/sssd/ticket/133