How is this done? In the LTB distribution there is a ppolicy ldif in the schema directory of openldap/etc; no such file exists for "vanilla" OpenLDAP and I'm not even sure if it would be compatible. The documentation describes the password policy overlay, but appears to be in conf format rather than the ldifs we use now and there's no indication as to what sort of "default" options would normally be associated with permitting a client to bind, check passwords for login and allow or reject the login. https://www.openldap.org/doc/admin26/overlays.html (section 12.10.2) I imagine there must be a reference for this somewhere as it has to be one of the most common LDAP use cases? Those were just truncated lines. Here is another example without the truncation: Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 fd=14 ACCEPT from IP=10.8.8.202:35250 (IP=0.0.0.0:389) Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=0 SEARCH RESULT tag=101 err=0 qtime=0.000018 etime=0.000221 nentries=1 text= Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 BIND dn="cn=admin,dc=clab,dc=lab" method=128 Nov 02 06:40:46 ldapserver00 slapd[109046]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 BIND dn="cn=admin,dc=clab,dc=lab" mech=SIMPLE bind_ssf=0 ssf=0 Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=1 RESULT tag=97 err=0 qtime=0.000018 etime=0.000106 text= Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 op=2 UNBIND Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1005 fd=14 closed Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 fd=14 ACCEPT from IP=10.8.8.202:35260 (IP=0.0.0.0:389) Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=0 SEARCH RESULT tag=101 err=0 qtime=0.000016 etime=0.000145 nentries=1 text= Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 BIND dn="cn=admin,dc=clab,dc=lab" method=128 Nov 02 06:40:46 ldapserver00 slapd[109046]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 BIND dn="cn=admin,dc=clab,dc=lab" mech=SIMPLE bind_ssf=0 ssf=0 Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=1 RESULT tag=97 err=0 qtime=0.000018 etime=0.000092 text= Nov 02 06:40:46 ldapserver00 slapd[109046]: get_filter: conn 1006 unknown attribute type=sudoHost (17) Nov 02 06:40:46 ldapserver00 slapd[109046]: get_ssa: conn 1006 unknown attribute type=sudoHost (17) Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SRCH base="ou=users,dc=clab,dc=lab" scope=2 deref=0 filter="(&(?objectClass=sudoRole)(|(&(!(?sudoHost=*))(cn=defaults))(?sudoHost=ALL)(?sudoHost=ldapclient)(?sudoHost=ldapclient)(?sudoHost=10.8.8.202)(?sudoHost=10.8.8.0/24)(?sudoHost=fe80::f9:c8ff:fe92:990d)(?sudoHost=fe80::/64)(?sudoHost=+*)))" Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SRCH attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp Nov 02 06:40:46 ldapserver00 slapd[109046]: conn=1006 op=2 SEARCH RESULT tag=101 err=0 qtime=0.000018 etime=0.000227 nentries=0 text= Nov 02 06:42:03 ldapserver00 slapd[109046]: conn=1006 op=3 UNBIND Nov 02 06:42:03 ldapserver00 slapd[109046]: conn=1006 fd=14 closed root@ldapserver00:/tmp# I note in the SSSD documentation it says it will not perform authentication binds in cleartext. I think(?) I am running the server with SSL but not START-TLS. Jarett T. DeAngelis, MS Scientific Systems Engineer Email: jarett(a)bioteam.net <mailto:jarett@bioteam.net> M: +1.646.417.2165 bioteam.net <https://www.bioteam.net/>

in Nachricht <AA5643E98105A35D696CE959(a)[192.168.1.15]&gt;: For some strange reason sssd starts do query the sudo schema, even if it was not configured on the server, typically flooding the logs with invalid requests. I added the schema here, just to silence the errors...