SSSD/sssd

Resolving groups with memberOf only

BlackLotus opened this issue · 8 comments

I couldn't find a fitting issue or documentation. Hope I'm not overlooking something basic.
Problem is when I do
getent group foo
sssd tries to search for cn=foo in ou=users,....
Our ldap doesn't supply the information this way, but using memberOf.
ldap_user_member_of is set correctly, but I don't know how to force sssd to use this as the base for group mapping.

In theory we can find a group foo through a search in ou=user,dc=... memberOf=foo,ou=groups,...
If we want to list the groups of a user we can do a search in ou=users,... looking for 'uid=foobar' + (using ldapsearch)

Is there a way to configure sssd to work like this as well? Again sorry if this is an obvious problem

Hi,

can you share your current /etc/sssd/sssd.conf?

bye,
Sumit

[sssd]
config_file_version = 2
services = nss, pam
domains = default 
#debug_level = 8

[domain/default]
cache_credentials = false
debug_level = 7
enumerate = false
#ldap_id_mapping = true

id_provider = ldap
auth_provider = ldap
#chpass_provider = ldap

ldap_uri = ldaps://openldap.example.com
ldap_search_base = ou=users,dc=example,dc=com
ldap_default_bind_dn = cn=binduser,ou=security,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = pw
ldap_user_member_of = memberOf
ldap_group_member = uniqueMember

override_shell = /bin/bash

Replaced my domain.

Hi,

you have ldap_search_base = ou=users,dc=example,dc=com which means all searches will use ou=users,dc=example,dc=com as a base. But your group objects are in ou=groups,... according to your memberOf attribute.

So, either you change ldap_search_base

    ldap_search_base = dc=example,dc=com

or you have to add

    ldap_group_search_base = ou=groups,dc=example,dc=com

I would recommend the first.

Additionally, since uniqueMember is typically using a DN syntax I assume you have to set

    ldap_scheme = rfc2307bis

HTH

bye,
Sumit

The groups itself are not searchable. Only the memberOf attribute is shown.

So I tried every of the combination above (even before opening the ticket). Good to know that the problem seems to lie in the configuration of our ldap server and not me...

So I guess I can't configure sssd to search ou=users for memberOf to do the lookup right?

Hi,

one of the reasons you have to read the group object is to get the GID of the group.

bye,
Sumit

Oh... our ldap is... special. AFAIK we don't have GIDs in our ldap...
I asked for permissions to search for groups and this is what it looks like

[root@login001 ~]# ldapsearch -D "cn=binduser,ou=security,dc=example,dc=com" -y "/root/ldapsearch/password.txt" -H "ldaps://openldap.example.com:636" -b "ou=groups,dc=example,dc=com" -W "cn=somegroup"
# extended LDIF
#
# LDAPv3
# base <ou=groups,dc=example,dc=de> with scope subtree
# filter: cn=somegroup
# requesting: ALL
#

# somegroup, groups, example.com
dn: cn=somegroup,ou=groups,dc=example,dc=com
member: uid=nobody
member: uid=blacklotus,ou=users,dc=example,dc=com
objectClass: groupOfNames
objectClass: exampleAccessControl
cn: somegroup
rubReadAllow: cn=binduser,ou=security,dc=example,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Edit: working on a solution to add the GIDs to the ldap

Hi,

do your LDAP user's have a uidNumber attribute or similar? Does getent passwd username show a user entry or does it fail as well?

bye,
Sumit

Sorry for the delayed answer - thought I already answered you
getent passwd username works of course. The main problem right now seems to be that our ldap is missing GIDs.