getent passwd doesn't work; CentOS 7 and SSSD LDAP authentication
I installed CentOS 7 on a brand new server. All my servers get end user authentication through LDAPS on various system as RHEL5, Debian, and Solaris. I noticed there is a new layer on CentOS 7 which is SSS above NSS and PAM. Anyway, I try to replicate the same type of connection as the other server.
The command ldapsearch -x
is binding in LDAP, but not in LDAPS.
While digging the problem, I tried to do a connection in LDAP squeezing the SSS layer putting these lines in my /etc/nsswitch.conf
passwd: files ldap #sss
shadow: files ldap #sss
group: files ldap #sss
And I added this line in the /etc/sssd/sssd.conf
cache_credentials = False
And I restarted ssd.
systemctl restart sssd
I check with the command authconfig --test
and everything seems ok: (http://www.heypasteit.com/clip/1LZ2)
Solution 1:
I'm not sure if this is the proper solution but noticed in the SSSD FAQ this point:
When should I enable enumeration in SSSD? or Why is enumeration disabled by default?
"Enumeration" is SSSD's term for "reading in and displaying all the values of a particular map (users, groups, etc.)". We disable this by default in the SSSD in order to minimize the load on the servers with which SSSD must communicate. In most operation, listing the complete set of users or groups will never be necessary. Applications will generally request information about specific users or groups.
Enumerating all entries has a negative impact in load on the server and performance on the client (as we have to save all of the complex relationships between users and the groups to which they belong in the local cache). So because of this, we ship with enumerations disabled (the same behavior as the Samba project's winbind).
You should only enable enumerations (and the resultant performance issues) if you have applications or scripts in your environment that absolutely must be able to retrieve the complete lists. In these cases, enumeration can be enabled by setting
[domain/<domainname>] enumerate = true ...
in your sssd.conf file.
This enabled the ability of getent passwd
to display all the accounts that were available via SSSD. Be warned that this can be a performance drag.