I'm experiencing problems on my RHEL 9 instance when looking up members of group using getent group <GROUP NAME>. I can only get users which has direct access to a group, and no the "user groups" part of the group.
My sssd.conf: [domain/<DOMAIN>] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap
ldap_uri = ldaps:/ipa.example.com ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd] services = nss, pam, sudo domains = default
[nss] homedir_substring = /home
[pam]
[sudo]
Hi,
On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I'm experiencing problems on my RHEL 9 instance when looking up members of group using getent group <GROUP NAME>. I can only get users which has direct access to a group, and no the "user groups" part of the group.
My sssd.conf: [domain/<DOMAIN>] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap
If your provider is LDAP (and not IPA), you should ask on this mailing
list instead: sssd-users@lists.fedorahosted.org (see https://sssd.io/community.html). flo
ldap_uri = ldaps:/ipa.example.com
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd] services = nss, pam, sudo domains = default
[nss] homedir_substring = /home
[pam]
[sudo]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Чцв, 18 сту 2024, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I'm experiencing problems on my RHEL 9 instance when looking up members of group using getent group <GROUP NAME>. I can only get users which has direct access to a group, and no the "user groups" part of the group.
My sssd.conf: [domain/<DOMAIN>] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap
If your provider is LDAP (and not IPA), you should ask on this mailing
list instead: sssd-users@lists.fedorahosted.org (see https://sssd.io/community.html).
If the server side is IPA, why the client is configured with LDAP provider?
I also do not see in the configuration above whether you have configured SSSD to use authentication when talking to LDAP server (IPA?). Did you simply omit them in the email or they are fully missing?
E.g. 'ldap_default_bind_dn' and 'ldap_default_authtok' are missing.
Without authenticated bind, one cannot see member values:
dn: cn=groups,cn=accounts,dc=ipa,dc=example aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter = "(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group Membership";allow (compare,read,search) userdn = "ldap:///all";)
For any POSIX group you can only read those attributes when authenticated.
flo
ldap_uri = ldaps:/ipa.example.com
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd] services = nss, pam, sudo domains = default
[nss] homedir_substring = /home
[pam]
[sudo]
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Finn Fysj -
Florence Blanc-Renaud