SSSD LDAP Bad Filter (NULL)

Hi all,

I built up a LDAP (Client) with SSSD on Rocky Linux 9.3.
My LDAP Server is on Windwos Server 2012

I did the sssd.conf configuration like:

[sssd]
config_file_version = 2
services = nss, pam
domains = myserver.com

[nss]
#filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd

[pam]

[domain/myserver.com]
debug_level = 6
ldap_tls_reqcert = never
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = MYSERVER.COM
ldap_search_base = DC=myserver,DC=com
#ldap_group_member = uniquemember
id_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
ldap_uri = ldap://server.myserver.com
ldap_chpass_uri = ldap://server.myserver.com
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 1
ldap_network_timeout = 6
#ldap_access_filter = (objectClass=top)
ldap_id_use_start_tls = False
ldap_default_bind_dn = CN=admin,CN=Users,DC=myserver,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = ********
#ldap_user_search_base = CN=Users,DC=myserver,DC=com
ldap_library_debug_level = -1
ldap_id_mapping = True
# ldap user parameters
ldap_user_search_base = CN=Users,DC=myserver,DC=com
ldap_user_object_class = user
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_home_directory = HomeDirectory
ldap_user_shell = loginShell
ldap_user_member_of = memberOf
# ldap group parameters
ldap_group_search_base = CN=Users,DC=myserver,DC=com
ldap_group_object_class = group
ldap_group_name = cn
ldap_group_gid_number = gidNumber
ldap_group_member = memberUid

there is no problem with: systemctl status sssd

but when I run the command “id domainuser”, the LDAP does not takes user ids and groups.

I debug the sssd_myserver.com.log:

[sdap_search_user_next_base] (0x0400): [RID#3] Searching for users with base [CN=Users,DC=myserver,DC=com]
[sdap_get_generic_ext_step] (0x0400): [RID#3] calling ldap_search_ext with [(&(uid=domainuser)(objectclass=user)(uid=*)((null)=*))][CN=Users,DC=myserver,DC=com].
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [objectClass]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [uid]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userPassword]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [uidNumber]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [gidNumber]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [gecos]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [homeDirectory]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [loginShell]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [krbPrincipalName]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [cn]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [memberOf]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [modifyTimestamp]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowLastChange]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowMin]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowMax]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowWarning]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowInactive]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowExpire]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [shadowFlag]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [krbLastPwdChange]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [krbPasswordExpiration]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [pwdAttribute]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [authorizedService]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [accountExpires]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userAccountControl]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [nsAccountLock]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [host]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [rhost]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [loginDisabled]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [loginExpirationTime]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [loginAllowedTimeMap]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [sshPublicKey]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [userCertificate;binary]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [mail]
[sdap_get_generic_ext_step] (0x1000): [RID#3] Requesting attrs: [passkey]
[sss_ldap_debug] (0x4000): [RID#3] libldap: ldap_search_ext
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: "(&(uid=domainuser)(objectclass=user)(uid=*)((null)=*))"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: AND
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter_list "(uid=domainuser)(objectclass=user)(uid=*)((null)=*)"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: "(uid=domainuser)"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: simple
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_simple_filter: "uid=domainuser"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: "(objectclass=user)"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: simple
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_simple_filter: "objectclass=user"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: "(uid=*)"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: simple
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_simple_filter: "uid=*"
[sss_ldap_debug] (0x4000): [RID#3] libldap: put_filter: "((null)=*)"
[sss_ldap_debug] (0x4000): [RID#3] libldap: ldap_err2string
[sdap_get_generic_ext_step] (0x0080): [RID#3] ldap_search_ext failed: Bad search filter
[sdap_id_op_connect_done] (0x4000): [RID#3] caching successful connection after 1 notifies
[be_run_unconditional_online_cb] (0x4000): [RID#3] List of unconditional online callbacks is empty, nothing to do.

the problem looks like in the seacr filter. Because there is an null serach on filter .

When I tried the ldapsearch command :

No problem with this search filter:

ldapsearch -x -b "dc=myserver,dc=com" -H ldap://myserver.com -D "CN=admin,CN=Users,DC=myserver,DC=com" -W "(&(uid=domainuser)(objectclass=user)(uid=*))"

When I add null filter I am getting Bad Filter error also:

[root@eicsrv04 administrator]# ldapsearch -x -b "dc=myserver,dc=com" -H ldap://myserver.com -D "CN=admin,CN=Users,DC=myserver,DC=com" -W "((uid=domainuser)(objectclass=user)(uid=*)((null)=*))"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=myserver,dc=com> with scope subtree
# filter: ((uid=domainuser)(objectclass=user)(uid=*)((null)=*))
# requesting: ALL
#

ldap_search_ext: Bad search filter (-7)

I could not find the reason of null filter.
which does attribute causes this null filter ?

The only thing that looks odd to me is the “null filter”, as you already noticed. Is there anyway to further simplify the sssd conf file?

You may be missing a directive or you have a directive that you do not need in sssd.conf. I’ve never used SSSD to connect to AD via LDAP. I connect to AD using realm. Is there a reason why you prefer LDAP authentication over joining the system to AD with realm? (See here).

I am no expert on sssd, it has been a long time since I used it, but from reading your sssd.conf , you seem to be trying to use the RFC2307 attributes from AD (which I take it have been added, they are not there by default). However, you also have ‘ldap_id_mapping = True’, which, if I remember correctly, means ‘do not use uidNumber & gidNumber attributes from AD, create the IDs’, I think you want ‘false’ instead of ‘True’.
You also have ‘ldap_group_member = memberUid’, I think you want ‘ldap_group_member = member’, unless you have a very strange setup in AD that uses ‘memberUID’.

hi all ,

thank for the replies,

I found the issue. it seems about sssd version .See

Hi @nazunalika ,
yes. I have old version servers and AD is Windwos Server.
And also a storage server for common folders.
Old version servers use NIS for user IDs. So all users have same UNIX ID for accessing common folders.

I updated a server to Rocky 9.3. But Rocky 9.3 does not support NIS. So the best way seems to me LDAP. LDAP also can map UNIX IDs as user IDs.

if you have another easier option please share for me.

Hi @hortimech
Yeap. you are right. But I want to use UNIX IDs from AD.
I am not expert also but AD IDs and UNIX IDs is diffrent things.
As I said above I want to use same user IDs for all servers.

I will look at it. Thanks.

Anyway ,
ldap_id_mapping = False works fine for me now.

Yes and no, Active Directory uses SIDs, using the RFC2307 attributes is just a way of mapping to the SID. Windows will use the SID, but you can make Unix machines use the rfc2307 attributes.

You wouldn’t be part of a university, would you ?