mirror of
https://github.com/lldap/lldap.git
synced 2026-04-25 08:15:52 +03:00
[GH-ISSUE #739] [INTEGRATION] SSSD integration #269
Labels
No labels
backend
blocked
bug
cleanup
dependencies
docker
documentation
duplicate
enhancement
enhancement
frontend
github_actions
good first issue
help wanted
help wanted
integration
invalid
ldap
pull-request
question
rust
rust
tests
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/lldap-lldap#269
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @vincentDcmps on GitHub (Nov 18, 2023).
Original GitHub issue: https://github.com/lldap/lldap/issues/739
Describe the bug
Hello I try to integrate LLDAP with sssd
I have an attribute uidnumber to my user and can request it with ldapsearch
but when sssd try ti request LLDAP I have this error
[error]: [LDAP] Service Error: while handling incoming messages: while receiving LDAP op: ldapmsg invalid
no more with verbose mode
@nitnelave commented on GitHub (Nov 18, 2023):
Hmm, is there any relevant logging from sssd?
Otherwise, I'd be curious to see a packet capture (with tcpdump) of the LDAP traffic to LLDAP
@vincentDcmps commented on GitHub (Nov 19, 2023):
I have done a packet capture
https://vault.ducamps.eu/#/send/syGHEmYDQKOFWC58dgN9Wg/wMOCI-I2MIxLfkC8zw3MHw
@vincentDcmps commented on GitHub (Nov 19, 2023):
sssd log here:
https://vault.ducamps.eu/#/send/EJymlXMkQzCb8IMzqhmkLw/wuTPJiDP0dwE4qKUXvnS9w
@nitnelave commented on GitHub (Dec 15, 2023):
Sorry @vincentDcmps the link has expired, could you re-upload it if you still have it?
@vincentDcmps commented on GitHub (Dec 16, 2023):
https://vault.ducamps.eu/#/send/vtQ_K72oTQyh2WqAx8K-ZQ/6QfL_32S4pHrJ4PyF8Sr4A
https://vault.ducamps.eu/#/send/XKY5p2pnSt-j5pzRven5JQ/wll1Vz-3ugP_3yTnT9Q8Hg
@nitnelave commented on GitHub (Dec 16, 2023):
Alright, found the culprit: "controlType: 1.3.6.1.4.1.42.2.27.8.5.1 (passwordPolicy)". I'll talk with @FirstYear to see what we can do at the parsing level.
@nitnelave commented on GitHub (Dec 16, 2023):
Filed https://github.com/kanidm/ldap3/issues/46
@vincentDcmps commented on GitHub (Jan 7, 2024):
Hi thanks your pull request seem to be merge do you know if you can integrate last version in lldap to test?
or maybe is already in latest docker build if it's the case I have now the following message in LLDAP log
@nitnelave commented on GitHub (Jan 8, 2024):
Merged a change updating the dependency. Can you retry?
@vincentDcmps commented on GitHub (Jan 8, 2024):
ldap3_proto 0.4.2 is release 30th november fix commit are on 19th december so our requested modification is not in this version, no?
for information need to update rust:alpine image to 3.19 in root's dockerfile
@vincentDcmps commented on GitHub (Jan 8, 2024):
I have try to build lldap with last commit of ldap3_proto
by updating Cargo.toml with this
but I get following compilation issue:
I don't know rust at all so hard to debug for me
@nitnelave commented on GitHub (Jan 10, 2024):
I talked to @FirstYear about it, it's expected that there are breaks since it's not a released version. He's going to prepare another release soon that will include the fix.
@nitnelave commented on GitHub (Jan 16, 2024):
Can you try with the newest
latest? It should work.@vincentDcmps commented on GitHub (Jan 16, 2024):
so it's a litle better I explain
I have try to switch from my current ldap to my dev lldap, after that I can get some information:
but after that I have try to remove my complete cache
and after that I can't get any information with the command getent
seem that sssd request some sudo attribute, I think first test work because this attribute was already in cache
so I think a lot of work is need to integrate sssd with lldap :)
below the sssd_ldap.log
@nitnelave commented on GitHub (Jan 16, 2024):
Ah, it's doing a substring search on a custom attribute... That's quite hard to support right now. I don't think it's going to work any time soon. I have a vague plan in mind, but it'll take a long time, if ever, to do.
@Firstyear commented on GitHub (Jan 16, 2024):
SSSD loves to do substring searches in the most inefficient ways possible. I think if you remove "sudo" as a provider on the sssd.conf it stops it asking for sudohost. Generally you can ignore all the sudo queries it emits.
@vincentDcmps commented on GitHub (Jan 16, 2024):
I have already try that but sssd seem contunue to do sudo request
@Firstyear commented on GitHub (Jan 16, 2024):
Depends how @nitnelave wants to proceed here, but I'd say simply dropping/ignoring any request that asks for sudo related terms with an empty response would silence the problem.
@Firstyear commented on GitHub (Jan 16, 2024):
Or open a bug with SSSD?
@nitnelave commented on GitHub (Jan 16, 2024):
One thing that I can do is that if the substring filter concerns an attribute that doesn't exist, I can replace it with just "false". At least LLDAP will give a valid response to the query, if not the best possible.
@Firstyear commented on GitHub (Jan 17, 2024):
I actually think that's what the ldap specification requires. An unknown filter component evaluates to "false" or "empty set".
@nitnelave commented on GitHub (Jan 17, 2024):
Alright, let's have another try with
latest!@vincentDcmps commented on GitHub (Jan 18, 2024):
seem to have always some query issue on domain name from my understanding
@nitnelave commented on GitHub (Jan 18, 2024):
That seems to be a configuration error: it can't resolve the service name to even try to send a query to LLDAP. In the previous logs you had an A record for the service, now it doesn't seem to be there (?)
@vincentDcmps commented on GitHub (Jan 20, 2024):
get an error when I try to process to a login with my test user
@nitnelave commented on GitHub (Jan 21, 2024):
Okay, that's a lot of logging... A couple of notes:
gidNumberattribute, which I guess you haven't added yet. Same for users, they're supposed to have theuidNumber@broeng commented on GitHub (Jan 11, 2025):
Fwiw, I have SSSD working on a Synology NAS. It's a bit of a managed installation, so I'm not aware of all the config parts, but the SSSD version is 2.3.1.
/etc/sssd/sssd.conflooks like this (with nss and pam sections omitted):And,
/etc/sssd/conf.d/profile.conf:Many of the attributes from profile.conf are of course custom attributes. Be careful not to use any attributes with underscore in the name, it really doesn't like that.
@CtrlC-Root commented on GitHub (Aug 29, 2025):
Well, I don't know that this is related to your issue, but I struggled to get SSSD working using the example file, so I'll share my current working configuration below. Changes from the examples I made:
rfc2307bisfor theldap_schemaparameter (instead ofrfc2307in the example). When I usedrfc2307I could see my groups withidandgroups $USERbutgetent groupwould consistently fail with an error. I believe the issue is thatuniqueMembervalues are DNs in the LLDAP schema which is whatrfv2307bisexpects whereasrfc2307expects UIDs instead.ldap_user_search_baseandldap_group_search_baseto ensure SSSD only operates on users and groups withuidNumberandgidNumberdefined respectively. Not strictly speaking necessary but I wanted a way to cleanly separate POSIX users/groups from others in LLDAP and this was the cleanest way to do it.gidNumberas an Integer with a single value (instead of multiple values in the example).sshPublicKeyas a String with multiple values (instead of a single value in the example).At this point, I need to go back and set up TLS, but otherwise everything works including user lookup, group lookup, SSH keys, and password authentication. I don't know if LLDAP supports changing passwords through LDAP but I'm ignoring that for now and have not tested it.
@nitnelave commented on GitHub (Aug 29, 2025):
@CtrlC-Root make sure to send your improvements to the guide!
@madIlama commented on GitHub (Oct 27, 2025):
I am using LDAPS yet failed using https://github.com/lldap/lldap/tree/main/example_configs/pam
with self-signed cert,it seems i still must use
ldap_tls_reqcert = nevereven with specified cert file, setting with demand show unknown error in sssd.Also anyone successfully implement multiple group like memberOf ?
I had setting
ldap_user_member_of = memberOfand schema created accordingly, yet getent and groups fail to show multiple group to ldap user.@madIlama commented on GitHub (Oct 27, 2025):
nevermind,
ldap_user_member_of = memberOfworks, i just forgot add user to group in lldap webui.(schema is string and multiple are checked)
after that getent and groups show multiple group in user.
Thanks