Project

General

Profile

Bug #10654

sssd does not pull user identification information when using an anonymous LDAP bind

Added by Paul Suh about 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Nice to have
Assignee:
John Hixson
Category:
OS
Target version:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Go to Directory Service and configure LDAP to have a blank bind dn and password, and check the "Allow Anonymous Binding" checkbox. cachetool.py will pull users into its cache, but sssd will not do the lookup properly, so the users do not show up in the dropdowns or when using getent passwd. See https://forums.freenas.org/index.php?threads/apple-open-directory-and-directory-service-cache.35581/ for more details. Contents of /usr/local/etc/sssd/sssd.conf:

[sssd]
config_file_version = 2
full_name_format = %2$s\%1$s
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$))
services = nss,pam
domains = EINSTEIN

[nss]
[pam]
[domain/EINSTEIN]
description = EINSTEIN
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_force_upper_case_realm = true
use_fully_qualified_names = false
ldap_uri = ldap://einstein.lcis.bs
ldap_search_base = dc=einstein,dc=lcis,dc=bs
ldap_user_search_base = dc=einstein,dc=lcis,dc=bs?subtree?(objectclass=posixAccount)
ldap_group_search_base = dc=einstein,dc=lcis,dc=bs?subtree?(objectclass=posixGroup)
ldap_default_bind_dn = None
ldap_default_authtok_type = password
ldap_default_authtok = None

History

#1 Updated by John Hixson about 5 years ago

  • Status changed from Unscreened to Screened
  • Priority changed from No priority to Nice to have
  • Target version set to Unspecified

Well, SSSD doesn't even support anonymous LDAP. Anonymous LDAP is leftover from pre-SSSD days. Why it stayed? It was simply overlooked. That being said, I did in fact bring back nss_ldap, which does in fact support anonymous ldap binding. So, maybe we can still support it, and just have a big fat warning about how insecure it is and that plain text passwords are transferred over the wire. Either way, this isn't a high priority, but will get looked at when I have time.

#2 Updated by Paul Suh about 5 years ago

At least a documentation note fairly quickly would be nice. Most sysadmins won't have the chops to debug sssd and figure out what's going on. Thanks.

#3 Updated by John Hixson about 5 years ago

I think what I'm going to do here is leave the anonymous ldap option available and hook it back up to using nss_ldap since some folks still want that option.

#4 Updated by John Hixson about 5 years ago

When I can close out some tickets, I'll roll the code to make this work.

#5 Updated by John Hixson about 5 years ago

This is not a high priority and I'm still waiting to close out more tickets before proceeding any further with this.

#6 Updated by John Hixson about 5 years ago

John Hixson wrote:

This is not a high priority and I'm still waiting to close out more tickets before proceeding any further with this.

This is still the case, however, I expect to do this soon.

#7 Updated by John Hixson about 5 years ago

This is still on my list.

#8 Updated by John Hixson about 5 years ago

  • Status changed from Screened to Ready For Release

Anonymous binding works with 43ff6c747d8061de4ea35ab5dc3a29e3a3a459e9.

#9 Updated by Jordan Hubbard about 5 years ago

  • Target version changed from Unspecified to 261

#10 Updated by Jordan Hubbard about 5 years ago

  • Status changed from Ready For Release to Resolved

#11 Avatar?id=14398&size=24x24 Updated by Kris Moore about 4 years ago

  • Target version changed from 261 to N/A

Also available in: Atom PDF