Liam, Andrew,
After I set the binddn and bindpw in sssd.conf and restart sssd. It still cannot find anything, but the Return code is 0,0,success.
ldap_default_bind_dn = <dn to bind as> ldap_default_authtok_type = password ldap_default_authtok = <dn password>
It return 0, 0. But still can find nothing.
/var/log/sssd/sssd_default.log
(Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [sdap_cli_auth_step] (0x0100): expire timeout is 900 (Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: svc_na_lvd_cont_int (Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100): Marking port 389 of server 'usmkemsi107.ra-int. com' as 'working' (Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [set_server_common_status] (0x0100): Marking server 'usmkemsi107.ra-int.com' a s 'working' (Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 11:51:53 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 30 11:56:20 2015) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=yingbo li] (Thu Apr 30 11:56:20 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 11:56:20 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 30 11:56:28 2015) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=yingbo] (Thu Apr 30 11:56:28 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 11:56:28 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success (Thu Apr 30 11:57:39 2015) [sssd[be[default]]] [be_get_account_info] (0x0100): Got request for [4097][1][name=Yingbo Li] (Thu Apr 30 11:57:39 2015) [sssd[be[default]]] [sdap_get_users_done] (0x0040): Failed to retrieve users (Thu Apr 30 11:57:39 2015) [sssd[be[default]]] [acctinfo_callback] (0x0100): Request processed. Returned 0,0,Success
/var/log/sssd_nss.log
(Thu Apr 30 12:22:26 2015) [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success (Thu Apr 30 12:22:26 2015) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/default/givenna me=yingbo] (Thu Apr 30 12:22:26 2015) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [givenname=yingbo@default] (Thu Apr 30 12:22:26 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1a36330
(Thu Apr 30 12:22:26 2015) [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1a363e0
(Thu Apr 30 12:22:26 2015) [sssd[nss]] [ldb] (0x4000): Running timer event 0x1a36330 "ltdb_callback"
(Thu Apr 30 12:22:26 2015) [sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1a363e0 "ltdb_timeout"
(Thu Apr 30 12:22:26 2015) [sssd[nss]] [ldb] (0x4000): Ending timer event 0x1a36330 "ltdb_callback"
I tried "getent passwd name", here the name I tried Yingbo, Yingbo Li, Yingbo, givenname=yingbo, yli28. All cannot find any result. If I use getent passwd, I can find a lot of local users even I did not choose local sufficient at authconfig-tui. Strang! But ldapsearch -x -D binddn -w bindpw "givenname=Yingbo" or "samaccountname=yli28" find everything.
Do you think IT set something on LDAP server side?
Thanks, Yingbo
-----Original Message----- From: Andrew Findlay [mailto:andrew.findlay@skills-1st.co.uk] Sent: Thursday, April 30, 2015 12:00 PM To: Yingbo Li Cc: openldap-technical@openldap.org Subject: Re: getent passwd only catch local user passwd
On Thu, Apr 30, 2015 at 04:09:23PM +0000, Yingbo Li wrote:
(Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed o n the connection., data 0, v1db1 (Thu Apr 30 10:17:56 2015) [sssd[be[default]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/ output error
It looks like binddn and bindpw should be set.
Exactly.
But Howard Chu said in OpenLDAP, ldap.conf file cannot set binddn and bindpw. Ldapsearch I can use -D -w to set binddn and bindpw. What else can I do to make getent work?
It is SSSD that is making the LDAP connection, so you should be setting the DN and password in sssd.conf - look for the domain/default section and set values for:
ldap_default_bind_dn ldap_default_authtok
You should check first with ldapsearch to make sure that the DN and password are valid and that they allow you to do the searches that SSSD will need.
Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------