I removed ldap from nsswitch.conf. I restarted slapd and sssd.
There is still inconsistencies between getent and ldapsearch:
[root@rodster sssd]# getent passwd meathead08
ldapsearch -w xxxx -D "cn=manager,dc=wh,dc=local"
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Liam
Sent: Tuesday, March 12, 2013 5:00 AM
Subject: Re: getent passwd inconsistent loginShell with ldapsearch
On 11/03/2013 21:26, Rodney Simioni wrote:
> I disabled nscd. Here's my ldap.conf
> #SIZELIMIT 12
> #TIMELIMIT 15
> #DEREF never
> TLS_CACERTDIR /etc/openldap/cacerts
> #URI ldap://127.0.0.1/
> URI ldap://127.0.0.1/
> BASE dc=wh,dc=local
> port 389
Wrong ldap.conf. What's in /etc/ldap.conf and are you absolutely sure that the user
doesn't exist in /etc/passwd?
Also what's in /etc/nsswitch.conf for the passwd entry?
On 03/12/13 09:55 -0400, Rodney Simioni wrote:
I don't have a /etc/ldap.conf. I have a /etc/openldap/ldap.conf.
I'm sure my ldap users do not exist in /etc/passwd.
Nscd is disabled.
passwd: files sss ldap
shadow: files sss ldap
You have two ldap related nss modules, which might explain your inconsistency. Try
my sssd.conf is:
ldap_id_use_start_tls = False
cache_credentials = True
ldap_search_base = dc=wh,dc=local
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://127.0.0.1/
ldap_tls_cacertdir = /etc/openldap/cacerts
access_provider = ldap
ldap_access_filter = host=localhost
ldap_pwd_policy = shadow
services = nss, pam, ssh
config_file_version = 2
domains = default, local
This email message is intended for the use of the person to whom it has been sent, and may
contain information that is confidential or legally protected. If you are not the intended
recipient or have received this message in error, you are not authorized to copy,
distribute, or otherwise use this message or its attachments. Please notify the sender
immediately by return e-mail and permanently delete this message and any attachments.
Verio Inc. makes no warranty that this email is error or virus free. Thank you.