On Срд, 11 кас 2023, Finn Fysj via FreeIPA-users wrote:
I've setup two new IPA nodes which I migrated users & groups from an old IPA server. When I do a ldapsearch -x uid=test-user on my client I'm not able to receive LDAP attributes such as memberof and ipaSshPubKey. However, this is possible if I log onto the IPA nodes and do the ldapsearch.
memberof and ipaSSHPubKey attributes are only allowed to be read, searched and compared by authenticated LDAP connections. If your connection is anonymous, you have no access to those attributes.
I can confirm that by running ldapsearch -H ldaps://old.ipa.example.com uid=test-user I can receive wanted attributes. On new IPA node: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-xxxxxxxxxxxx givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 Old IPA: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-xxxxxxxxxxxx givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com ipaSshPubKey: ssh-rsa .......... It's important to note, we're not using Kerberos for authentication, nor is ipa-client being used.
The configuration below does not seem to use *any* authentication, not just Kerberos.
/etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps://ipa.example.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow cache_credentials = true [sssd] services = nss, pam, sudo domains = default [nss] homedir_substring = /home [pam] [sudo] /etc/openldap/ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com /etc/sudo-ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
