Common LDAP Provider issues
When running
id user
, no groups are displayed.When running
getent group $groupname
, no group members are displayedIn both cases, make sure the selected schema is correct. By default, SSSD will use the more common RFC 2307 schema. The difference between RFC 2307 and RFC 2307bis is the way which group membership is stored in the LDAP server. In an RFC 2307 server, group members are stored as the multi-valued attribute
memberuid
which contains the name of the users that are members. In an RFC2307bis server, group members are stored as the multi-valued attributemember
(or sometimesuniqueMember
) which contains the DN of the user or group that is a member of this group. RFC2307bis allows nested groups to be maintained as well.
If using the LDAP provider with Active Directory, the back end randomly goes offline and performs poorly.
Make sure the referrals are disabled. See the FAQ page for explanation. Also please consider migrating to the AD provider. The AD provider disabled referral support by default, so there’s no need to disable referrals explicitly
When enumeration is enabled, or when the underlying storage has issues, the
sssd_be
process is being killed bySIGTERM
or evenSIGKILL
With huge directories, the
sssd_be
process takes a long time to store the entries to cache. The cache writes are blocking, so whensssd_be
writes to the cache, it might be considered stuck (more on the actual mechanism below) You can increase the heartbeat interval by raising the value of thetimeout
option.
For configuration with
id_provider=ldap
andauth_provider=ldap
. retrieving user information works, but authentication does notPlease note that user information is typically retrieved over unencrypted channel (unless
ldap_id_use_start_tls
is enabled), but authentication always happens over an encrypted channel. Checking for certificate errors should be the first step. To test authentication manually, you can perform a base-search against the user entry together with ldapsearch’s-Z
option.