sorry for coming back late

one correction that, it's ok to define a long group name in "cn" of objectClass posixGroup, it won't lead any issue when login the user via sssd ldap integration.

but have the otherthing want to confirm:

i set the "ldap_group_name = description", and set the value of "desciption" different with "cn", for example:

cn=my-testing-group-at-world-wide-space

description=test-group

the command "id nick" output:

uid=15001(nick) gid=20000(my-testing-group-at-world-wide-space) groups=20000(my-testing-group-at-world-wide-space)

it still use the value of "cn"

but, if i set

access_provider = simple

# specify the long group name (as in 'cn')

simple_allow_groups = my-testing-group-at-world-wide-space

the usre 'nick' can't login (with error message incorrect password)

if i set to

access_provider = simple

# specify short group name (as in 'description')

simple_allow_groups = test-group

the user 'nick' can login now.

so looks like there is some mismatch.

Thanks & Best Regards!

///
(. .)
--------ooO--(_)--Ooo--------
| Nick Tan |
------------------------------------

On Mon, Aug 4, 2014 at 8:48 PM, Jakub Hrozek <jhrozek@redhat.com> wrote:

On Sat, Aug 02, 2014 at 07:28:53AM +0800, XuQing Tan wrote:
> Hi
>
> i set the ldap_group_name = description in the sssd domain section. (i want
> to map to 'description' rather than 'cn')
> i cleaned the sssd cache file and restart sssd service
> when i typed "id <user_id>", it still displayed the groupname as the "cn"
>
> i'm using sssd 1.9.2 on CentOS 6.3:
> [root]# rpm -qa|grep sssd
> sssd-client-1.9.2-129.el6_5.4.x86_64
> sssd-1.9.2-129.el6_5.4.x86_64
>
> is it a defect?

Hard to tell without seeing the configuration and domain and sssd logs
with debug_level=6 or higher.

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users