On Thu, Dec 07, 2017 at 07:46:11AM -0000, Иван Мастренко wrote:
Hello! I Have the problem with Getting groups list for user in ldap: [sssd[be[DOMAIN_GROUP2]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): Searching for parent groups for user [uid=hwadmin_sssd,ou=users,dc=my,dc=domain] with base [ou=groups,dc=my,dc=domain] [sssd[be[DOMAIN_GROUP2]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(memberUid=uid=hwadmin_sssd,ou=users,dc=my,dc=domain)(objectClass=posixGroup)(cn=*))][ou=groups,dc=my,dc=domain].
As seen above SSSD try to search groups with filter where memberUid = <fullDN>, but this is not correct. It should search for: (&(memberUid=hwadmin_sssd)(objectClass=posixGroup)(cn=*))
My config is:
[sssd] services = nss, pam, autofs config_file_version = 2 domains = ,DOMAIN_GROUP2 override_homedir = /home/%u
[domain/default] debug_level = 7
[domain/DOMAIN_GROUP2] autofs_provider = ldap cache_credentials = False id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://172.20.47.115:389 ldap_schema = rfc2307bis
Please try 'ldap_schema = rfc2307'
rfc2307bis uses DNs to identify mebers while plain rfc2307 uses just names.
HTH
bye, Sumit
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain ldap_default_authtok = password ldap_group_member = memberUid #ldap_use_tokengroups = false
# TLS/SSL ldap_tls_reqcert = never ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts
# SEARCH BASE ldap_search_base = dc=my,dc=domain ldap_user_search_base = ou=users,dc=my,dc=domain ldap_group_search_base = ou=groups,dc=my,dc=domain #ldap_group_object_class = groupOfNames # FILTER access_provider = ldap ldap_access_filter = (memberOf=cn=HWS_ADMINS,ou=groups,dc=my,dc=domain)
override_gid = 1001 override_shell = /bin/bash skel_dir=/etc/skel_ptk/
debug_level = 7
[nss] homedir_substring = /home debug_level = 7
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp] _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org