SSSD with ldap_id_mapping = False

exploitationwindows · July 11, 2018, 7:08pm

Hi,

I’m using SSSD and I want to use uidNumber for my ADusers. To do that I put this line in my sssd.conf :
ldap_id_mapping = False

With this line I want to allow only users that belong to this group to login:
ad_access_filter = (memberOf=CN=ADMINS,OU=Services,DC=AD,DC=EXAMPLE,DC=COM)

My problem is that if a ADUser doesn’t have a POSIX Attributes he can not log in.
I can see in logs there is a ldap search command that only search user with uidNumber (POSIX Attributes) :
[sssd[be[ad.example.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=aduser5932)(objectclass=user)(sAMAccountName=)(&(uidNumber=)(!(uidNumber=0))))][DC=ad,DC=example,DC=com].
[sssd[be[d20.tes.local]]] [sdap_search_user_process] (0x0400): Search for users, returned 0 results.
[sssd[be[d20.tes.local]]] [sdap_get_users_done] (0x0040): Failed to retrieve users
[sssd[be[d20.tes.local]]] [sysdb_search_by_name] (0x0400): No such entry

If I set UNIX Attributes to this account and clear sssd cache, I can log in without problem.

Thanks in advance.

Automatic_Reply · July 16, 2018, 7:30am

Exploitationwindows,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

Visit http://www.suse.com/support and search the knowledgebase and/or check all
the other support options available.
Open a service request: https://www.suse.com/support
You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.suse.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.suse.com/faq.php

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot…

Good luck!

Your SUSE Forums Team
http://forums.suse.com

Lawrence1 · August 8, 2018, 5:10pm

exploitationwindows,
What is described is the expected behavior.

Non-mapped (static)

ldap_id_mapping = false

UID and GID values are stored in Active Directory attributes (uidNumber and gidNumber in LDAP parlance) and read by the daemon when the user or group is referenced. If other standard POSIX attribute values are populated (loginShell, homeDirectory, gecos) they will be read as well.

Mapped (calculated)
ldap_id_mapping = true

UID and GID values are calculated using an algorithm run against Active Directory user and group Security Identifiers (SID) to generate unique UID and GID values. Because the object SIDS do not change these values persist across servers running the SSSD.

Whether to use mapped or non-mapped UID/GID values is a design choice you want to make at the front side of deployments. As soon as file systems are involved (as UID and GID vaues are written to them) swapping modes is not a trivial undertaking.

Hoping to have helped,

– lawrence

Topic		Replies	Views
LDAP client configuration SLES Configure-Administer	4	220	April 22, 2014
LDAP Client Configuration - Login with UPN SLES Configure-Administer	5	181	November 19, 2012
SLES - AD integration SLES Configure-Administer	10	183	October 22, 2013
Can not login via LDAP authentication SLES Configure-Administer	2	207	April 22, 2014
sssd and sudoers SLES Configure-Administer	1	298	August 9, 2019

SSSD with ldap_id_mapping = False

Related Topics