On 02/20/2013 04:20 PM, Scott Classen wrote:
On Feb 20, 2013, at 12:41 PM, Jakub Hrozek wrote:
>> So the solution was to add the following line to my sssd.conf file
>>
>> enumerate = true
>>
>> That's it.
>>
>> Everything works now.
>>
>> id username returns useful information.
>> getent works.
>> ls -l works.
>>
>> Not exactly sure why enumerate = true would fix my problem? I would expect that
the underlying mechanism used to gather user/group information from OpenLDAP would be the
same regardless of whether enumeration is turned on or off. My understanding from reading
the sssd documentation is that enumeration merely caches the user/group information
locally. There must be something else going on that is causes the system to hang when
enumeration is set to false/
>>
>> Anyways that's as far as I got. I'm happy that things are working now.
>>
>> Scott
>>
> Hi,
>
> The dereference processing can only work if the attributes
> being dereferenced (usually member:) are DNs (DN_SYNTAX_OID). Does your
> schema maybe touch the member attributes in any way? Do all your groups
> really use the member attribute and not for instance uniqueMember?
>
> Turning the enumeration on merely works around the problem by following
> a different code path.
Jakub,
my custom schema only extends the posixAccount to add some extra attributes. I make no
changes to posixGroup.
ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret
"uniqueMember=*"
returns nothing.
ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret
"member=*"
returns the 175 groups in my ldap directory.
An example for a specific group (e.g. dvd) would be:
ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret
"cn=dvd"
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: cn=dvd
# requesting: ALL
#
# dvd, Group, mydomain
dn: cn=dvd,ou=Group,dc=mydomain
objectClass: posixGroup
objectClass: groupOfNames
objectClass: top
objectClass: apple-group
objectClass: extensibleObject
cn: dvd
gidNumber: 9075
description: dvd burner admin group
member: uid=user1,ou=People,dc=mydomain
member: uid=user2,ou=People,dc=mydomain
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
I hope this helps.
Scott
Can it be something in root DN?
I agree that enumerate = true is just hiding the problem.
We generally do not recommend turning on enumeration. It might work for
you if your user base is small but it does not scale well for the cases
when there is a lot of data to download.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/