0

I have a bunch of AlmaLinux machines with SSSD configured to allow LDAP auth and it's working fine.

We have a very huge LDAP directory and some users got multiple entries following this schema.

dn: cn=John Dow,ou=randomgrp,ou=something,o=bla,c=xyz
ou: RANDOMGRP
uid: jdow@RANDOMGRP
uniqueidentifier: 123456
AccredOrder: 3
memberOf: special_group

dn: cn=John Dow,ou=primarygrp,ou=somewhere,o=bla,c=xyz
ou: PRIMARYGRP
uid: jdow
uid: jdow@PRIMARYGRP
uniqueidentifier: 123456
AccredOrder: 1
memberOf: special_group

dn: cn=John Dow,ou=anothergrp,ou=somehow,o=bla,c=xyz
ou: ANOTHERGRP
uid: jdow@ANOTHERGRP
uniqueidentifier: 123456
AccredOrder: 2
memberOf: special_group

This is the result of a ldapsearch query filtered with uniqueIdentifier attribute. OU names can be different obviously, depending of the user.

The first problem I faced is that LDAP is returning the info of those 3 accounts in random order, letting in sometimes jdow, sometimes jdow@ANOTHERGRP or sometimes jdow@RANDOMGRP. I fixed the problem using this filter in my sssd.conf file

ldap_access_filter = (&(memberof=special_group)(accredorder=1))

That only let in users with accredorder set to 1 and it's working fine.

The problem I have now is when the system is querying the LDAP for it's own business. Most of the time it's working fine but as the LDAP is randomly returning one of the 3 accounts, the tool running on the machines got sometimes jdow@ANOTHERGRP as an answer for the UID of the connected user when it was jdow one jour before and it messes up the software.

I don't know if my explanation is clear but is there a way to filter "automatic" queries the system is making? Like a ldapsearch.conf where I could add default filters?

To resume, I need to only get information for account with accredorder attribute set to 1 for all the queries the system would make.

Thanks for your help

Improve this question

1 Answer 1

Reset to default
2

The "system" is not making any queries. Only the SSSD daemon is actually interacting with LDAP when it comes to user account retrieval (it is literally the purpose of SSSD to be the system's interface to LDAP). The rest of the OS is completely unaware of LDAP and there is no other central place to define queries than sssd.conf.

Current SSSD versions let you include a filter as part of the ldap_*_search_base parameter, according to the sssd-ldap(5) manual page. The syntax is similar to that of ldap:// URLs:

ldap_user_search_base = o=bla,c=xyz?subtree?(accredOrder=2)

If you have programs that bypass SSSD and directly talk to the server and do their own queries (or e.g. maybe you have nslcd as an alternative to SSSD) – well, they do their own queries; you have to configure each such program separately.

Improve this answer
3
  • Yes! This looks like what I needed! As the issue is fairly random, we will see in the next days if it comes back. Thanks! Commented Jun 5 at 8:15
  • Sorry to bump this question. I have now another issue on some machines where I need to force a specific user@group for the login. It was working fine to login using jdow@specialgroup with nscd/nslcd but is looks like SSSD is considering "specialgroup" as the domain name. What's the username format I can use for that? I tried adding backslashes but it's not helping. Thanks! Commented Jun 16 at 14:11
  • playing ask and answer alone :-) it looks like this could do the job re_expression = ((?P<name>[^@]+@[^@]+)|(?P<name>[^@]+))@?(?P<domain>[^@]*$) Commented Jun 16 at 14:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.