OpenLDAP & SSSD Question

Discussion:

Borresen, John - 0444 - MITLL

2015-11-03 15:34:35 UTC

Hopefully someone out there can shed some light on this.

Running OpenLDAP 2.4.40 on our CentOS 5 servers, with an assortment of
CentOS 5, 6, 7; Fedora20+, Ubuntu 12.04 to 14.04. The CentOS 5's are
running as straight LDAP clients. The others are using SSSD / LDAP.

On the CentOS 5, when running "getent hosts", it will return the entire LDAP
Hosts dbase; which is the behavior we want.

On all the systems running SSSD, they only return the local hosts file. If
explicitly adding a host to the command "getent hosts some_host", it will
only return if the host is in the local hosts file or DNS; never searching
(watching the logs) either the LDAP or SSSD. Debug is at maximum.

Again any help is appreciated.

Thanks,

JD Borresen

Michael Ströder

2015-11-03 16:09:16 UTC

Permalink

Post by Borresen, John - 0444 - MITLL
Running OpenLDAP 2.4.40 on our CentOS 5 servers, with an assortment of
CentOS 5, 6, 7; Fedora20+, Ubuntu 12.04 to 14.04. The CentOS 5's are
running as straight LDAP clients. The others are using SSSD / LDAP.
On the CentOS 5, when running "getent hosts", it will return the entire LDAP
Hosts dbase; which is the behavior we want.
On all the systems running SSSD, they only return the local hosts file. If
explicitly adding a host to the command "getent hosts some_host", it will
only return if the host is in the local hosts file or DNS; never searching
(watching the logs) either the LDAP or SSSD. Debug is at maximum.

AFAIK sssd does not support hosts map.
Therefore you have something different on your CentOS 5 servers.
Consult the hosts line in /etc/nsswitch.conf.

Ciao, Michael.

Borresen, John - 0444 - MITLL

2015-11-03 16:55:18 UTC

Permalink

Thanks Michael;

I thought I had read that somewhere (about SSSD not supporting hosts map),
too...but, can't find the reference. The hosts entry on all our clients are
essentially the same:

Hosts dns files ldap sss

The older CentOS 5 systems don't have "sss" obviously.

JD

-----Original Message-----
From: Michael Ströder [mailto:***@stroeder.com]
Sent: Tuesday, November 03, 2015 11:09 AM
To: Borresen, John - 0444 - MITLL; openldap-technical
Subject: Re: OpenLDAP & SSSD Question

Post by Borresen, John - 0444 - MITLL
explicitly adding a host to the command "getent hosts some_host", it will
only return if the host is in the local hosts file or DNS; never searching
(watching the logs) either the LDAP or SSSD. Debug is at maximum.

AFAIK sssd does not support hosts map.
Therefore you have something different on your CentOS 5 servers.
Consult the hosts line in /etc/nsswitch.conf.

Ciao, Michael.

Michael Ströder

2015-11-03 18:17:07 UTC

Permalink

Post by Borresen, John - 0444 - MITLL
Thanks Michael;
I thought I had read that somewhere (about SSSD not supporting hosts map),
too...but, can't find the reference. The hosts entry on all our clients are
Hosts dns files ldap sss

IMO there's no point defining "ldap" and "sss". YMMV.

Ciao, Michael.

Jakub Hrozek

2015-11-08 20:34:32 UTC

Permalink

Content preview: On Tue, Nov 03, 2015 at 05:09:16PM +0100, Michael Ströder
wrote: > AFAIK sssd does not support hosts map. Correct; we don't. But you
can use 'sss' for the maps we do support (passwd,group,netgroup,...) and
ldap for those we don't. [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[185.67.36.65 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0047]
X-Mailman-Approved-At: Mon, 09 Nov 2015 11:35:59 +0000
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -2.6 (--)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.

Content preview: On Tue, Nov 03, 2015 at 05:09:16PM +0100, Michael Ströder
wrote: > AFAIK sssd does not support hosts map. Correct; we don't. But you
can use 'sss' for the maps we do support (passwd,group,netgroup,...) and
ldap for those we don't. [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[185.67.36.65 listed in list.dnswl.org]
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Post by Michael StrÃ¶der
AFAIK sssd does not support hosts map.

Correct; we don't. But you can use 'sss' for the maps we do support
(passwd,group,netgroup,...) and ldap for those we don't.

(this is also getting off-topic for this list, sssd-users might be a
better venue for sssd-specific questions)