sssd adjust ldap_search_ext

Question

is possible to adjust the used filters in the ldap search query in the sssd.conf?

Background: I/We want to implement ldap authentication with sssd. Our sssd looks like:

[sssd]
config_file_version = 2
services = nss, pam
domains = test.de

[domain/test.de]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
enumerate = true
ldap_schema = rfc2307bis
ldap_uri = ldaps://192.168.7.1:636, ldaps://192.168.7.2:636
ldap_search_base = ou=users, o=data
ldap_user_search_base = ou=users, o=data
ldap_user_object_class = posixAccount
ldap_user_name = uid
ldap_tls_reqcert = never
cache_credentials = true
ldap_default_bind_dn = cn=ldap-clienttest,ou=sa,o=data
ldap_default_authtok_type = password
ldap_default_authtok = pawsd
debug_level = 9

My/Out problem is the resulting ldap search. Debugging the search for an user shows the ldap search query.

[(&(uid=testuser)(objekctclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))][ou=users, o=data]

The search result will be 0 but if I search only for the uid (without the uidnumber)

(&(uid=testuser)(objekctclass=posixAccount)(uid=*))

I am getting the correct result.

How can I avoid using the given filter of the uidNumber?

Thanks.

Answer 1

We were already able to solve the problem. We just set the parameter ldap_user_uid_number = uid Because of the resulting ldapsearch, this will always be true.

Unfortunately, I noticed another problem in the logs: the entry found in the ldap directory could not be saved locally because the UID is not available. In the sssd.conf we set id_provider = ldap, if we use id_provider = localthe sssd service does not start.

Does anyone have suggestions for solving that problem?