getent passwd doesn't work; CentOS 7 and SSSD LDAP authentication

authentication ldap centos-7

I installed CentOS 7 on a brand new server. All my servers get end user authentication through LDAPS on various system as RHEL5, Debian, and Solaris. I noticed there is a new layer on CentOS 7 which is SSS above NSS and PAM. Anyway, I try to replicate the same type of connection as the other server.

The command ldapsearch -x is binding in LDAP, but not in LDAPS.

While digging the problem, I tried to do a connection in LDAP squeezing the SSS layer putting these lines in my /etc/nsswitch.conf

passwd:     files ldap #sss 
shadow:     files ldap #sss 
group:      files ldap #sss

And I added this line in the /etc/sssd/sssd.conf

cache_credentials = False

And I restarted ssd.

systemctl restart sssd

I check with the command authconfig --test and everything seems ok: (http://www.heypasteit.com/clip/1LZ2)


Solution 1:

I'm not sure if this is the proper solution but noticed in the SSSD FAQ this point:

When should I enable enumeration in SSSD? or Why is enumeration disabled by default?

"Enumeration" is SSSD's term for "reading in and displaying all the values of a particular map (users, groups, etc.)". We disable this by default in the SSSD in order to minimize the load on the servers with which SSSD must communicate. In most operation, listing the complete set of users or groups will never be necessary. Applications will generally request information about specific users or groups.

Enumerating all entries has a negative impact in load on the server and performance on the client (as we have to save all of the complex relationships between users and the groups to which they belong in the local cache). So because of this, we ship with enumerations disabled (the same behavior as the Samba project's winbind).

You should only enable enumerations (and the resultant performance issues) if you have applications or scripts in your environment that absolutely must be able to retrieve the complete lists. In these cases, enumeration can be enabled by setting

   [domain/<domainname>]
   enumerate = true
   ...

in your sssd.conf file.

This enabled the ability of getent passwd to display all the accounts that were available via SSSD. Be warned that this can be a performance drag.

Related

ASUS Laptop batter won't charge past ~60%
Connecting USB 3.1 front panel to USB 3.2 motherboard connector
What does "sink output, source output, sink offload, source offload" mean for GPUs?
Virtual box partitions in windows
gpg-agent is not requested in git calls
How to open a second PowerShell console window from start screen? [duplicate]
Docker port expose fails in Mac OS X
Merge two pdf files side by side in command line
Notepad++ permanent line marking?
"Disk Not Ejected Properly" Alert after computer goes to sleep USB3 only
What does the this Windows 10 Action Center tray icon overlay indicate, exactly?
How do I prevent Enigmail from encrypting my email, even when encryption is turned off?