'=?utf-8?q?=5BSSSD-users=5D?= ldap domain - queried attributes filter?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= ldap domain - queried attributes filter?
From:       "Martin Hansen" <gotschsonsan () gmail ! com>
Date:       2019-03-26 14:21:11
Message-ID: 20190326142111.12582.11001 () mailman01 ! phx2 ! fedoraproject ! org
[Download RAW message or body]

Hi, 

I'm using sssd with LDAP backend / domain. I wonder if there is a way to influence \
the attributes which are queried by sssd? Like not just the mapping but which \
attributes are ok to be queried and which attributes should not?  I have some cloud \
servers which are accessing our internal directory via slapd (proxy). 

I have two questions re this:

1. I use "services: nss,pam", so why is sssd querying sudoers information via the \
ldap domain like:

ldap filter used by sssd:
"(&(?objectClass=sudoRole)(|(!(?sudoHost=*))(?sudoHost=ALL)(?sudoHost=ip-xx-xx-xx-xx)( \
?sudoHost=ip-xx-xx-xx-xx)(?sudoHost=xx.xx.xx.xx)(?sudoHost=xx.xx.xx.xx/xx)?sudoHost=+*)(|(?sudoHost=*\5C*)(?sudoHost=*?*)(?sudoHost=*\2A*)(?sudoHost=*[*]*))))" \


2. I as well would like to modify the attributes which are queried by sssd. I would \
like sssd NOT to query "userPassword" for example. A lot of other attributes which \
are queried are not relevant in my environment as well e.g. the "krb*" attributes. 

ldap attributes queried by sssd:
objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell \
krbPrincipalName cn GroupMembership modifyTimestamp modifyTimestamp shadowLastChange \
shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag \
krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires \
userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime \
loginAllowedTimeMap sshPublicKey userCertificate;binary mail

Is it possible to influence this behavior somehow, I tried user_attributes in the \
domain section as well as in the nss section without success, e.g. "user_attributes = \
-userPassword". 

any help or clarifying words are appreciated, have a great day
M
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic