<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Oct 22, 2013 at 11:25 AM, <span dir="ltr"><<a href="mailto:harry.devine@faa.gov" target="_blank">harry.devine@faa.gov</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br><font face="sans-serif">We tried that and, sadly, it made no
difference. In fact, we get LESS information that before. It
appears as though we get the main group, and it does not know how to dig
further to get the sub-groups and group members. Also, we found that
our ldap_group_member is called uniqueMember and not memberUid. Perhaps
that's unique to your installation?</font>
<br>
<br><font face="sans-serif">Any other ideas? Should we post
our sssd.conf?</font>
<br>
<br><font face="sans-serif">Thanks,</font>
<br><font face="sans-serif">Harry</font>
<br><div class="im">
<br><font face="sans-serif">Harry Devine<br>
Common ARTS Software Development<br>
AJM-245<br>
<a href="tel:%28609%29485-4218" value="+16094854218" target="_blank">(609)485-4218</a><br>
<a href="mailto:Harry.Devine@faa.gov" target="_blank">Harry.Devine@faa.gov</a></font>
<br>
<br>
<br>
</div><table width="100%">
<tbody><tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">From:</font>
</td><td><font face="sans-serif" size="1">Justin Edmands <<a href="mailto:shockwavecs@gmail.com" target="_blank">shockwavecs@gmail.com</a>></font>
<br>
</td></tr><tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">To:</font>
</td><td><font face="sans-serif" size="1">"General discussion list for the
389 Directory server project." <<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a>></font>
</td></tr><tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Date:</font>
</td><td><font face="sans-serif" size="1">10/22/2013 10:22 AM</font>
</td></tr><tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Subject:</font>
</td><td><font face="sans-serif" size="1">Re: [389-users] (no subject)</font>
</td></tr><tr valign="top">
<td><font color="#5f5f5f" face="sans-serif" size="1">Sent by:</font>
</td><td><font face="sans-serif" size="1"><a href="mailto:389-users-bounces@lists.fedoraproject.org" target="_blank">389-users-bounces@lists.fedoraproject.org</a></font></td></tr></tbody></table>
<br>
<hr noshade><div class="HOEnZb"><div class="h5">
<br>
<br>
<br><font size="3">On Tue, Oct 22, 2013 at 9:51 AM, <</font><a href="mailto:harry.devine@faa.gov" target="_blank"><font color="blue" size="3"><u>harry.devine@faa.gov</u></font></a><font size="3">>
wrote:</font>
<br><font face="sans-serif" size="3"><br>
We have been working this problem for two weeks debugging. We have 389-ds
running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap
clients authenticate correctly to the RHEL6 389-ds directory server and
with 'id' command can see all groups a user belongs too.</font><font size="3">
<br>
</font><font face="sans-serif" size="3"><br>
The same command in a RHEL6 ldap client using sssd shows ONLY the primary
group. If we change the ldap clients to point at the RHEL5 389-ds directory
server the same results occur. The one consistency is any RHEL6 ldap client
we setup will authenticate to either RHEL5 or RHEL6 but the entire list
of groups that user belongs to do not transfer independent of server version.
We have enumerate set to true and we have ldap_group_member set to uniqueMember.
These seems to point to the ldap client as RHEL5 client works just fine
and both RHEL5 and RHEL6 389-ds servers react the same but we're not sure
how to correct or is it a bug. HELP? </font><font size="3"><br>
</font><font face="sans-serif" size="3"><br>
Thanks!</font><font size="3"> <br>
</font><font face="sans-serif" size="3"><br>
Harry Devine<br>
Common ARTS Software Development<br>
AJM-245</font><font color="blue" face="sans-serif" size="3"><u><br>
</u></font><a href="tel:%28609%29485-4218" target="_blank"><font color="blue" face="sans-serif" size="3"><u>(609)485-4218</u></font></a><font color="blue" face="sans-serif" size="3"><u><br>
</u></font><a href="mailto:Harry.Devine@faa.gov" target="_blank"><font color="blue" face="sans-serif" size="3"><u>Harry.Devine@faa.gov</u></font></a><font size="3"><br>
--<br>
389 users mailing list</font><font color="blue" size="3"><u><br>
</u></font><a href="mailto:389-users@lists.fedoraproject.org" target="_blank"><font color="blue" size="3"><u>389-users@lists.fedoraproject.org</u></font></a><font color="blue" size="3"><u><br>
</u></font><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank"><font color="blue" size="3"><u>https://admin.fedoraproject.org/mailman/listinfo/389-users</u></font></a>
<br><font size="3"><br>
</font>
<br><font size="3">I had the same issue. SSSD needs to be told where to pull
these from.<br>
</font>
<br><font size="3">I had to add this to the global section of the sssd.conf
(you may need to disable all caching devices as well. they will hold the
old "id" lookups)<br>
<br>
ldap_group_member = memberUid<br>
ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com<br>
</font><tt><font>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org" target="_blank">389-users@lists.fedoraproject.org</a><br>
</font></tt><a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank"><tt><font>https://admin.fedoraproject.org/mailman/listinfo/389-users</font></tt></a>
<br>
<br></div></div><br>--<br>
389 users mailing list<br>
<a href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><br>
<a href="https://admin.fedoraproject.org/mailman/listinfo/389-users" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><br></blockquote></div><br><br></div><div class="gmail_extra">Please do<br>
</div></div>