[Freeipa-users] ID Views without AD

Mike Kelly pioto at pioto.org
Thu Feb 11 11:17:01 UTC 2016 

On Thu, Feb 11, 2016 at 3:21 AM Alexander Bokovoy <abokovoy at redhat.com>
wrote:

> On Wed, 10 Feb 2016, Mike Kelly wrote:
> >On Wed, Feb 10, 2016 at 3:19 AM Alexander Bokovoy <abokovoy at redhat.com>
> >wrote:
> >
> >> On Wed, 10 Feb 2016, Mike Kelly wrote:
> >>
> >> >Is there some extra logging I can turn on to see why this ID View isn't
> >> >being applied like I would expect? Or perhaps some extra bit of
> >> >configuration I missed?
> >> Level 7 or 9 debug logs in SSSD on the client might help.
> >>
> >
> >Thanks.
> >
> >Here's what looks like the relevant bits in /var/log/sssd/sssd_nss.log,
> >after I ran `sss_cache -E ; id pioto`:
> Please provide content of sssd_<domain>.log, this is where the actual
> work is done when user information is obtained and processed.
> sssd_nss.log is merely a requestor.
>

 Thanks. Here's what is hopefully the relevant lines:


(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_search_user_next_base] (0x0400): Searching for users with base
[cn=accounts,dc=home,dc=pioto,dc=org]
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(uid=pioto)(objectclass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0
))))][cn=accounts,dc=home,dc=pioto,dc=org].
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_parse_entry]
(0x1000): OriginalDN:
[uid=pioto,cn=users,cn=accounts,dc=home,dc=pioto,dc=org].
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_search_user_process] (0x0400): Search for users, returned 1 results.
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user]
(0x0400): Save user
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSIDString] attribute.
[0][Success]
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_get_primary_name] (0x0400): Processing object pioto
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user]
(0x0400): Processing user pioto
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_idmap_domain_has_algorithmic_mapping] (0x0080): Could not parse
domain SID from [(null)]
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user]
(0x0400): Adding original memberOf attributes to [pioto].
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user]
(0x0400): Adding user principal [pioto at HOME.PIOTO.ORG] to attributes of
[pioto].
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [sdap_save_user]
(0x0400): Storing info for user pioto
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success (Success)

-- so, looks like i don't see any evidence of an id view being searched for
or applied?

(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]] [be_get_account_info]
(0x0200): Got request for [0x1002][1][idnumber=1403400001]
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_get_groups_next_base] (0x0400): Searching for groups with base
[cn=accounts,dc=home,dc=pioto,dc=org]
(Thu Feb 11 06:05:13 2016) [sssd[be[home.pioto.org]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with
[(&(gidNumber=1403400001)(|(objectClass=ipaUserGroup)(objectClass=posixGroup
))(cn=*)(&(gidNumber=*)(!(gidNumber=0))))][cn=accounts,dc=home,dc=pioto,dc=org].

-- and here, looks like nss is requesting the details from my FreeIPA
default GID...

The only log entries I see in /var/log/sssd/sssd_<domain>.log that are
related to views seem to be from when I last restarted sssd:

(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_get_options]
(0x0400): Option ipa_views_search_base has no value
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [ipa_get_id_options]
(0x0100): Option ipa_views_search_base set to
cn=views,cn=accounts,dc=home,dc=pioto,dc=org
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]]
[common_parse_search_base] (0x0100): Search base added:
[IPA_VIEWS][cn=views,cn=accounts,dc=home,dc=pioto,dc=org][SUBTREE][]
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sdap_get_map]
(0x0400): Option ipa_view_class has value nsContainer
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sdap_get_map]
(0x0400): Option ipa_view_name has value cn
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [sssm_ipa_id_init]
(0x0020): Cannot find view name in the cache. Will do online lookup later.
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex]
(0x0400): Option ipa_views_search_base has value
cn=views,cn=accounts,dc=home,dc=pioto,dc=org
(Wed Feb 10 13:09:52 2016) [sssd[be[home.pioto.org]]] [dp_copy_options_ex]
(0x0400): Option ipa_views_search_base has value
cn=views,cn=accounts,dc=home,dc=pioto,dc=org

----

When I search LDAP under that search base, I get 3 DNs I'd expect to see:

dn: cn=views,cn=accounts,dc=home,dc=pioto,dc=org
dn: cn=oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org
dn: ipaanchoruuid=:IPA:home.pioto.org:
fc07446e-ce52-11e5-8a98-52540092d8fc,cn=
 oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org

And, under the servers tree, I see a corresponding ipaAssignedIDView:

dn: fqdn=data.home.pioto.org
,cn=computers,cn=accounts,dc=home,dc=pioto,dc=org
ipaAssignedIDView:
cn=oldservers,cn=views,cn=accounts,dc=home,dc=pioto,dc=org

-- 

Mike Kelly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160211/b3152e21/attachment.htm>

More information about the Freeipa-users mailing list