Open cipharius opened 3 months ago
Hi, yes, this is a thing we noticed and indeed it depends on the sssd version.
We generally speaking tried to adjust minimally wrt to upstream - https://github.com/glauth/glauth - but I think that changing to cn as a default can indeed make sense as almost 100% of deployments with Waldur are using SSSD.
Relates to glauth/glauth/issues/181.
Another issue we saw was the format of ldap_user_name in SSSD configuration.
ldap_user_name = preferredUsername vs ldap_user_name = preferred_username
Can you pls check which one is working for you?
Also, what if you use the following SSSD configuration:
[domain/WALDUR]
cache_credentials = True
enumerate = False
id_provider = ldap
auth_provider = ldap
access_provider = ldap
# ldap-server needs to resolve to the host where glauth is running
ldap_uri = ldap://ldap-server:3893
# configured glauth base
ldap_search_base = dc=glauth,dc=com
# configured glauth service user
ldap_default_bind_dn = cn=admin,dc=glauth,dc=com
ldap_default_authtok_type = password
# configured glauth service user password
ldap_default_authtok = mysecret
ldap_use_tokengroups = False
sudo_provider = none
ldap_group_member = member
ldap_schema = rfc2307bis
ldap_access_order = filter
ldap_access_filter = (memberOf=dc=glauth,dc=com)
ldap_user_name = preferredUsername
I am not sure if this is an issue with my specific setup, but sssd version 2.9.1 and following sssd configuration does not recognize the group names:
I noticed that if I change
groupformat
to"cn"
in thepreconfig.cfg.template
, then sss manages to recognize group names without providing customldap_group_search_base
in thesssd.conf
. https://github.com/waldur/glauth/blob/8f19f297527cf026fdf88da36058a5bd69fb6b39/systemd-conf/refresher/preconfig.cfg.template#L38I was wondering how groups are configured on other setups and whether
groupformat = "cn"
should become the default configuration, given that sssd recognizes that by default.