-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 11/12/2010 08:13 AM, Sergei V. Kovylov wrote:
Hello everyone. Can you clarify the situation about nested groups? When I use rfc2307bis I'm not able to get membership from nested groups.
Example: GRP-SVC-SSH-NODE |- user1 |- user2
GRP-SVC-SSH-NODE1 |- GRP-SVC-SSH-NODE
Users from GRP-SVC-SSH-NODE are not members of GRP-SVC-SSH-NODE1.
What command are you using to check this? Can you tell me if getent group GRP-SVC-SSH-NODE1 shows the users from GRP-SVC-SSH-NODE?
What about: id <user from GRP-SVC-SSH-NODE> Does that show the user as a member of both groups?
If possible, please also turn debug_level up to 6 and include the debug log in /var/log/sssd/sssd_<domain>.log for those two commands.
In previous version 1.3.1 it works, but from 1.4 version it is not working. As I may see in "src/providers/ldap/sdap_async_accounts.c":
/* FIXME: we ignore nested rfc2307bis groups for now */ filter = talloc_asprintf(grp_state, "(objectclass=%s)", opts->user_map[SDAP_OC_USER].name);
Also the same situation with LDAP memberOf attribute. It just create "originalMemberOf" entry, but do nothing with it.
Maybe the problem is because of groups are stored in different OU:
OU=COMPUTE |-OU=GROUP-ACCESS |- cn=GRP-SVC-SSH-NODE |- ou=SSH-GROUPS |-cn=GRP-SVC-SSH-NODE01
which means: GRP-SVC-SSH-NODE = cn=GRP-SVC-SSH-NODE,ou=GROUP-ACCESS,ou=COMPUTE, dc...... GRP-SVC-SSH-NODE1 = cn=GRP-SVC-SSH-NODE1,ou=SSH-GROUPS,ou=GROUP-ACCESS,ou=COMPUTE, dc.....
- -- Stephen Gallagher RHCE 804006346421761
Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/