I want to move my home network from Redhat’s IPA to Authentik, but I also wanted to enable enumerate (since this network only has a few users).
getent passwd <user> returns correctly
getent passwd only returns local users
getent passwd -s sss <user> does not return any information
getent passwd -s sss also returns no information
The strange thing is that the sssd log shows it enumerating the users.
...
May 04 10:47:32 user1-laptop sssd_be[29275]: calling ldap_search_ext with [(&(objectclass=ipHost)(cn=*)(ipHostNumber=*))][DC=home,DC=domain,DC=com].
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [objectClass]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [ipHostNumber]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:32 user1-laptop sssd_be[29275]: Search result: Success(0), no errmsg set
May 04 10:47:32 user1-laptop sssd_be[29275]: Search for IP hosts returned 0 results.
May 04 10:47:32 user1-laptop sssd_be[29275]: Searching for IP network with base [DC=home,DC=domain,DC=com]
May 04 10:47:32 user1-laptop sssd_be[29275]: calling ldap_search_ext with [(&(objectclass=ipNetwork)(cn=*)(ipNetworkNumber=*))][DC=home,DC=domain,DC=com].
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [objectClass]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [ipNetworkNumber]
May 04 10:47:32 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:32 user1-laptop sssd_be[29275]: Search result: Success(0), no errmsg set
May 04 10:47:32 user1-laptop sssd_be[29275]: Search for IP networks returned 0 results.
May 04 10:47:32 user1-laptop sssd_be[29275]: Searching hosts with subfilter [(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1714834052))] in domain [home.domain.com]
May 04 10:47:32 user1-laptop sssd_be[29275]: Found 0 expired ip host entries!
May 04 10:47:32 user1-laptop sssd_be[29275]: Searching networks with subfilter [(&(!(dataExpireTimestamp=0))(dataExpireTimestamp<=1714834052))] in domain [home.domain.com]
May 04 10:47:32 user1-laptop sssd_be[29275]: Found 0 expired IP network entries!
May 04 10:47:32 user1-laptop sssd_be[29275]: Task [Enumeration [resolver] of home.domain.com]: finished successfully
May 04 10:47:32 user1-laptop sssd_be[29275]: Task [Enumeration [resolver] of home.domain.com]: scheduling task 300 seconds from last execution time [1714834352]
May 04 10:47:43 user1-laptop sssd_be[29275]: Task [Enumeration [id] of home.domain.com]: executing task, timeout 300 seconds
May 04 10:47:43 user1-laptop sssd_be[29275]: Searching for users with base [OU=users,DC=home,DC=domain,DC=com]
May 04 10:47:43 user1-laptop sssd_be[29275]: calling ldap_search_ext with [(&(objectclass=user)(cn=*)(uidNumber=*)(gidNumber=*))][OU=users,DC=home,DC=domain,DC=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [objectClass]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [userPassword]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [uidNumber]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [gidNumber]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [gecos]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [homeDirectory]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [loginShell]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [krbPrincipalName]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [memberOf]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowLastChange]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowMin]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowMax]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowWarning]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowInactive]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowExpire]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [shadowFlag]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [krbLastPwdChange]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [krbPasswordExpiration]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [pwdAttribute]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [authorizedService]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [accountExpires]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [userAccountControl]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [nsAccountLock]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [host]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [rhost]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [loginDisabled]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [loginExpirationTime]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [loginAllowedTimeMap]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [sshPublicKey]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [userCertificate;binary]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [mail]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [passkey]
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=akadmin,ou=users,dc=home,dc=domain,dc=com].
...
May 04 10:47:43 user1-laptop sssd_be[29275]: Search result: Success(0), no errmsg set
May 04 10:47:43 user1-laptop sssd_be[29275]: Search for users, returned 6 results.
May 04 10:47:43 user1-laptop sssd_be[29275]: Save user
...
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object ldapbind
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing user ldapbind@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding original memberOf attributes to [ldapbind@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [ldapbind@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: User principal is not available for [ldapbind@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for user ldapbind@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=ldapbind@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: User "ldapbind@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: Save user
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user2
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing user user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding original memberOf attributes to [user2@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [user2@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: User principal is not available for [user2@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for user user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: User "user2@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: Save user
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user1
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing user user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding original memberOf attributes to [user1@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [user1@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: User principal is not available for [user1@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for user user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: User "user1@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: Users higher USN value: [(null)]
May 04 10:47:43 user1-laptop sssd_be[29275]: Searching for groups with base [DC=home,DC=domain,DC=com]
May 04 10:47:43 user1-laptop sssd_be[29275]: calling ldap_search_ext with [(&(objectClass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][DC=home,DC=domain,DC=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [objectClass]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [userPassword]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [gidNumber]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [member]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=authentik Admins,ou=groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=bind-accounts,ou=groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=posix,ou=groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=wheel,ou=groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=ldapbind,ou=virtual-groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=user2,ou=virtual-groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: OriginalDN: [cn=user1,ou=virtual-groups,dc=home,dc=domain,dc=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Search result: Success(0), no errmsg set
May 04 10:47:43 user1-laptop sssd_be[29275]: Search for groups, returned 10 results.
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group bind-accounts@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [bind-accounts@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: The group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group bind-accounts@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=bind-accounts@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "bind-accounts@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
...
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object ldapbind
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group ldapbind@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [ldapbind@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: The group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group ldapbind@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=ldapbind@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "ldapbind@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user2
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [user2@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: The group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user2@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user2@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user1
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [user1@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: The group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user1@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user1@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object bind-accounts
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group bind-accounts@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [bind-accounts@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=ldapbind,ou=users,dc=home,dc=domain,dc=com): [name=ldapbind@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=bind-accounts@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "bind-accounts@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object posix
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group posix@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [posix@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=user2,ou=users,dc=home,dc=domain,dc=com): [name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #1 (cn=user1,ou=users,dc=home,dc=domain,dc=com): [name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=posix@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "posix@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object wheel
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group wheel@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [wheel@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=user2,ou=users,dc=home,dc=domain,dc=com): [name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #1 (cn=user1,ou=users,dc=home,dc=domain,dc=com): [name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=wheel@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "wheel@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
...
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object ldapbind
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group ldapbind@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [ldapbind@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=ldapbind,ou=users,dc=home,dc=domain,dc=com): [name=ldapbind@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=ldapbind@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "ldapbind@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user2
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [user2@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=user2,ou=users,dc=home,dc=domain,dc=com): [name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user2@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user2@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Failed to get group sid
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user1
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Adding member users to group [user1@home.domain.com]
May 04 10:47:43 user1-laptop sssd_be[29275]: member #0 (cn=user1,ou=users,dc=home,dc=domain,dc=com): [name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb]
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user1@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user1@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=akadmin@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=ldapbind@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=akadmin@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=ak-outpost-277b0fb534c340ac80baf69b2f6c2546@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=ak-outpost-b648b8f2d687436ebf2f7923c87e941c@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=ldapbind@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user2@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: sysdbdn: name=user1@home.domain.com,cn=users,cn=home.domain.com,cn=sysdb
May 04 10:47:43 user1-laptop sssd_be[29275]: All group members processed
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
...
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group user2@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user2@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user2@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: No [objectSID] attribute. [0][Success]
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing object user1
May 04 10:47:43 user1-laptop sssd_be[29275]: Processing group user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Original USN value is not available for [user1@home.domain.com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Group has 1 members
May 04 10:47:43 user1-laptop sssd_be[29275]: Storing info for group user1@home.domain.com
May 04 10:47:43 user1-laptop sssd_be[29275]: Entry [name=user1@home.domain.com,cn=groups,cn=home.domain.com,cn=sysdb] has set [ts_cache] attrs.
May 04 10:47:43 user1-laptop sssd_be[29275]: Group "user1@home.domain.com" has been stored
May 04 10:47:43 user1-laptop sssd_be[29275]: Groups higher USN value: [(null)]
May 04 10:47:43 user1-laptop sssd_be[29275]: Searching for services with base [DC=home,DC=domain,DC=com]
May 04 10:47:43 user1-laptop sssd_be[29275]: calling ldap_search_ext with [(&(objectclass=ipService)(cn=*)(ipServicePort=*)(ipServiceProtocol=*))][DC=home,DC=domain,DC=com].
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [objectClass]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [cn]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [ipServicePort]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [ipServiceProtocol]
May 04 10:47:43 user1-laptop sssd_be[29275]: Requesting attrs: [modifyTimestamp]
May 04 10:47:43 user1-laptop sssd_be[29275]: Search result: Success(0), no errmsg set
May 04 10:47:43 user1-laptop sssd_be[29275]: Search for services, returned 0 results.
May 04 10:47:43 user1-laptop sssd_be[29275]: Found 0 expired user entries!
May 04 10:47:43 user1-laptop sssd_be[29275]: Found 0 expired group entries!
May 04 10:47:43 user1-laptop sssd_be[29275]: Task [Enumeration [id] of home.domain.com]: finished successfully
...
The nix module I created for this:
{ config, lib, pkgs, ... }:
let
cfg = config.security.authentik;
in
{
options.security.authentik = with lib; with types;
{
enable = mkEnableOption "Join Authentik LDAP with SSSD";
domain = mkOption {
type = str;
example = "example.com";
};
url = mkOption {
type = str;
example = "ldaps://ldap.example.com/";
};
base_dn = mkOption {
type = str;
example = "DC=example,DC=com";
};
bind_dn = mkOption {
type = str;
example = "cn=bind_account,ou=users,DC=example,DC=com";
};
bind_password = mkOption {
type = str;
example = "mypassword|\$BIND_PASSWORD";
};
environmentFile = mkOption {
type = str;
example = "/path/to/env.txt";
default = null;
};
user_search_base = mkOption {
type = str;
example = "ou=users,dc=example,dc=com";
default = "";
};
group_search_base = mkOption {
type = str;
example = "ou=users,dc=example,dc=com";
default = "";
};
};
config = lib.mkIf cfg.enable {
# pam mkdir integration
security.pam.services.sshd.makeHomeDir = true;
# setup sssd.conf
services.sssd = {
enable = true;
sshAuthorizedKeysIntegration = true;
environmentFile = cfg.environmentFile;
config = ''
[nss]
filter_users = root
filter_groups = root
reconnection_retries = 3
[sssd]
config_file_version = 2
reconnection_retries = 3
domains = ${cfg.domain}
services = nss, pam, ssh
[domain/${cfg.domain}]
enumerate = True
default_shell = /run/current-system/sw/bin/bash
cache_credentials = True
id_provider = ldap
chpass_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_uri = ${cfg.url}
ldap_schema = rfc2307bis
ldap_search_base = ${cfg.base_dn}
${if cfg.user_search_base != "" then "ldap_user_search_base = ${cfg.user_search_base}" else ""}
${if cfg.group_search_base != "" then "ldap_group_search_base = ${cfg.group_search_base}" else ""}
ldap_user_object_class = user
ldap_user_name = cn
ldap_group_object_class = group
ldap_group_name = cn
# Optionally, filter logins to only a specific group
ldap_access_order = filter
ldap_access_filter = (memberOf=cn=posix,ou=groups,${cfg.base_dn})
ldap_default_bind_dn = ${cfg.bind_dn}
ldap_default_authtok = ${cfg.bind_password}
'';
};
};
}
This is using a flake with the following inputs:
inputs = {
# use master branch of the GitHub repository as input, this is the most common input format
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
agenix.url = "github:ryantm/agenix";
home-manager = {
url = "github:nix-community/home-manager/release-23.11";
inputs.nixpkgs.follows = "nixpkgs";
};
nixos-generators = {
url = "github:nix-community/nixos-generators";
inputs.nixpkgs.follows = "nixpkgs";
};
};
If anyone has any ideas on how I can figure this out… I am running out of ideas.
Thanks!