[INTEGRATION] SSSD integration #739
Labels
Comments
|
Hmm, is there any relevant logging from sssd? Otherwise, I'd be curious to see a packet capture (with tcpdump) of the LDAP traffic to LLDAP |
|
I have done a packet capture |
|
Sorry @vincentDcmps the link has expired, could you re-upload it if you still have it? |
|
Alright, found the culprit: "controlType: 1.3.6.1.4.1.42.2.27.8.5.1 (passwordPolicy)". I'll talk with @Firstyear to see what we can do at the parsing level. |
|
Filed kanidm/ldap3#46 |
|
Hi thanks your pull request seem to be merge do you know if you can integrate last version in lldap to test? |
|
Merged a change updating the dependency. Can you retry? |
|
ldap3_proto 0.4.2 is release 30th november fix commit are on 19th december so our requested modification is not in this version, no? for information need to update rust:alpine image to 3.19 in root's dockerfile |
|
I have try to build lldap with last commit of ldap3_proto but I get following compilation issue: I don't know rust at all so hard to debug for me |
|
I talked to @Firstyear about it, it's expected that there are breaks since it's not a released version. He's going to prepare another release soon that will include the fix. |
|
Can you try with the newest |
|
so it's a litle better I explain but after that I have try to remove my complete cache and after that I can't get any information with the command getent |
|
Ah, it's doing a substring search on a custom attribute... That's quite hard to support right now. I don't think it's going to work any time soon. I have a vague plan in mind, but it'll take a long time, if ever, to do. |
|
SSSD loves to do substring searches in the most inefficient ways possible. I think if you remove "sudo" as a provider on the sssd.conf it stops it asking for sudohost. Generally you can ignore all the sudo queries it emits. |
|
I have already try that but sssd seem contunue to do sudo request |
|
Depends how @nitnelave wants to proceed here, but I'd say simply dropping/ignoring any request that asks for sudo related terms with an empty response would silence the problem. |
|
Or open a bug with SSSD? |
|
One thing that I can do is that if the substring filter concerns an attribute that doesn't exist, I can replace it with just "false". At least LLDAP will give a valid response to the query, if not the best possible. |
I actually think that's what the ldap specification requires. An unknown filter component evaluates to "false" or "empty set". |
|
Alright, let's have another try with |
|
seem to have always some query issue on domain name from my understanding |
|
That seems to be a configuration error: it can't resolve the service name to even try to send a query to LLDAP. In the previous logs you had an A record for the service, now it doesn't seem to be there (?) |
|
get an error when I try to process to a login with my test user |
|
Okay, that's a lot of logging... A couple of notes:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Hello I try to integrate LLDAP with sssd
I have an attribute uidnumber to my user and can request it with ldapsearch
but when sssd try ti request LLDAP I have this error
[error]: [LDAP] Service Error: while handling incoming messages: while receiving LDAP op: ldapmsg invalid
no more with verbose mode
The text was updated successfully, but these errors were encountered: