Hi all
I am trying to use SSSD on RHEL 6.4 to authenticate users from Active Directory. It works if I don't specific an access filter, but if I try to filter based on group membership (memberOf) it fails.
Quote:
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x0400): Performing AD access check for user [d-test2]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x4000): User account control for user [d-test2] is [0].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_account_expired_ad] (0x4000): Expiration time for user [d-test2] is [0].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_send] (0x0400): Performing access filter check for user [d-test2]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_send] (0x0400): Checking filter against LDAP
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_print_server] (0x2000): Searching 10.21.1.92
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=d-test2)(objectclass=user)(memberOf=CN=LOC-RHEL-Admins,OU=Security Groups,OU=Dev,DC=mycompany,DC=com))][CN=d-test2,OU=Users,OU=Dev,DC=mycompany,DC=com].
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 19
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_process_result] (0x2000): Trace: sh[0xda8600], connected[1], ops[0xdb52e0], ldap[0xda8670]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_id_op_done] (0x4000): releasing operation connection
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_done] (0x0100): User [d-test2] was not found with the specified filter. Denying access.
(Mon Dec 7 15:51:49 2015) [sssd[be[mycompany.com]]] [sdap_access_filter_done] (0x0400): Access denied by online lookup
|
Interestingly the query returns values (the users who are members) from ldp.exe (MSFT tool) on windows but returns zero from ldapsearch on the RHEL box.
So this fails:
ldapsearch -H ldap://server1.mycompany.com/ -Y GSSAPI -b "ou=users,ou=dev,dc=mycompany,dc=com" "(&(sAMAccountName=d-test2)(objectclass=user)(memberOf=CN=LOC-RHEL-Admins,OU=Security Groups,OU=Dev,DC=mycompany,DC=com))"
(NB GSSAPI and other params are all fine, if I take out the memberOf clause it returns results, so it's just the memberOf bit that is failing).
The very same query returns the members when run from ldp.exe on windows.
Anyone have any ideas?