sssd does not pull user identification information when using an anonymous LDAP bind
Go to Directory Service and configure LDAP to have a blank bind dn and password, and check the "Allow Anonymous Binding" checkbox. cachetool.py will pull users into its cache, but sssd will not do the lookup properly, so the users do not show up in the dropdowns or when using getent passwd. See https://forums.freenas.org/index.php?threads/apple-open-directory-and-directory-service-cache.35581/ for more details. Contents of /usr/local/etc/sssd/sssd.conf:
[sssd] config_file_version = 2 full_name_format = %2$s\%1$s re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^@\\]+)$)) services = nss,pam domains = EINSTEIN [nss] [pam] [domain/EINSTEIN] description = EINSTEIN enumerate = true cache_credentials = true id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_schema = rfc2307bis ldap_force_upper_case_realm = true use_fully_qualified_names = false ldap_uri = ldap://einstein.lcis.bs ldap_search_base = dc=einstein,dc=lcis,dc=bs ldap_user_search_base = dc=einstein,dc=lcis,dc=bs?subtree?(objectclass=posixAccount) ldap_group_search_base = dc=einstein,dc=lcis,dc=bs?subtree?(objectclass=posixGroup) ldap_default_bind_dn = None ldap_default_authtok_type = password ldap_default_authtok = None
#1 Updated by John Hixson about 5 years ago
- Status changed from Unscreened to Screened
- Priority changed from No priority to Nice to have
- Target version set to Unspecified
Well, SSSD doesn't even support anonymous LDAP. Anonymous LDAP is leftover from pre-SSSD days. Why it stayed? It was simply overlooked. That being said, I did in fact bring back nss_ldap, which does in fact support anonymous ldap binding. So, maybe we can still support it, and just have a big fat warning about how insecure it is and that plain text passwords are transferred over the wire. Either way, this isn't a high priority, but will get looked at when I have time.