On 02/22/2013 05:39 PM, Zachary Hanson-Hart wrote:
I have an LDAP server that is configured to serve up groups, and only groups, using the rfc2307 schema.  I have available to me a separate ldap authentication server.  I want sssd to get identity information from both sources.  It is not possible to just put the groups into the existing server, as "they" will not grant me write access nor will they agree to manage the groups. 

sssd.conf is set up with two domains.  The first (ldapr) is both auth and id provider.  The second (groupldap) is simply an id provider (with auth_provider=none). 

The problem is that initgroups() only seems to be running for the first domain.

In the first domain, gidNumber = uidNumber but there is no group with this gidNumber.

The groupldap DOES have a group with this gidNumber.  It is successfully obtained with the nss_cmd_getgrgid_search call before the initgroups call finishes for USERNAME@ldapr.

The information flow is basically:
Issue initgroups for ALL
begin initgroups for ldapr
get missing information from groupldap
complete initgroups for ldapr

Here, it seems to me that it should continue with an initgroups for groupldap.  It does not. 

There are other groups on groupldap that have memberUid=USERNAME.  There is never any search for groups with memberUid=USERNAME coming from the server (in the logs on the ldap server, or in the sssd logs), and initgroups is never called on the second domain (groupldap). 

To make things more confusing, if I:
getent -s sss group SOMEGROUP
I get:
SOMEGROUP:*:12345:USERNAME:otheruser:...

where SOMEGROUP is a posixGroup on groupldap.

So, it CAN get the group information from the groupldap domain, but it doesn't.

Is this a bug, or the expected behavior?  If this is expected, how do you get it to search both? 

The SSSD expectation is that identity data is domain consistent meaning that users from domain A are members of groups in domain A and users in domain B are members of domain B. There is no overlap.
Also AFAIR you can't configure two connections from within one domain.
What you can do is for groups use
sss ldap
or may be even just ldap
in nsswitch.conf and use SSSD for users and configure nss_ldap for groups.

I am not sure whether that would work but it is worth a try.


Any help would be greatly appreciated.

-Zach



_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users



-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/