On 02/20/2013 04:20 PM, Scott Classen wrote:
On Feb 20, 2013, at 12:41 PM, Jakub Hrozek wrote:

So the solution was to add the following line to my sssd.conf file

enumerate = true

That's it.

Everything works now.

id username returns useful information.
getent works.
ls -l works.

Not exactly sure why enumerate = true would fix my problem? I would expect that the underlying mechanism used to gather user/group information from OpenLDAP would be the same regardless of whether enumeration is turned on or off. My understanding from reading the sssd documentation is that enumeration merely caches the user/group information locally. There must be something else going on that is causes the system to hang when enumeration is set to false/

Anyways that's as far as I got. I'm happy that things are working now.



The dereference processing can only work if the attributes
being dereferenced (usually member:) are DNs (DN_SYNTAX_OID). Does your
schema maybe touch the member attributes in any way? Do all your groups
really use the member attribute and not for instance uniqueMember?

Turning the enumeration on merely works around the problem by following
a different code path.

my custom schema only extends the posixAccount to add some extra attributes. I make no changes to posixGroup.

ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret "uniqueMember=*"

returns nothing.

ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret "member=*"

returns the 175 groups in my ldap directory.

An example for a specific group (e.g. dvd) would be:

ldapsearch -ZZ -x -D "uid=nss,dc=mydomain" -b "dc=mydomain" -w secret "cn=dvd"

# extended LDIF
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: cn=dvd
# requesting: ALL

# dvd, Group, mydomain
dn: cn=dvd,ou=Group,dc=mydomain
objectClass: posixGroup
objectClass: groupOfNames
objectClass: top
objectClass: apple-group
objectClass: extensibleObject
cn: dvd
gidNumber: 9075
description: dvd burner admin group
member: uid=user1,ou=People,dc=mydomain
member: uid=user2,ou=People,dc=mydomain

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

I hope this helps.


Can it be something in root DN?

I agree that enumerate = true is just hiding the problem.
We generally do not recommend turning on enumeration. It might work for you if your user base is small but it does not scale well for the cases when there is a lot of data to download.

sssd-users mailing list

Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.

Looking to carve out IT costs?