On Fri, Feb 22, 2013 at 05:39:01PM -0500, Zachary Hanson-Hart wrote:
I have an LDAP server that is configured to serve up groups, and
groups, using the rfc2307 schema. I have available to me a separate ldap
authentication server. I want sssd to get identity information from both
sssd can follow referrals. Is it possible to add a referral on the LDAP
authentication server which points to the LDAP group server?
sources. It is not possible to just put the groups into the
server, as "they" will not grant me write access nor will they agree to
manage the groups.
sssd.conf is set up with two domains. The first (ldapr) is both auth and
id provider. The second (groupldap) is simply an id provider (with
The problem is that initgroups() only seems to be running for the first
In the first domain, gidNumber = uidNumber but there is no group with this
The groupldap DOES have a group with this gidNumber. It is successfully
obtained with the nss_cmd_getgrgid_search call before the initgroups call
finishes for USERNAME@ldapr.
The information flow is basically:
Issue initgroups for ALL
begin initgroups for ldapr
get missing information from groupldap
complete initgroups for ldapr
Here, it seems to me that it should continue with an initgroups for
groupldap. It does not.
There are other groups on groupldap that have memberUid=USERNAME. There is
never any search for groups with memberUid=USERNAME coming from the server
(in the logs on the ldap server, or in the sssd logs), and initgroups is
never called on the second domain (groupldap).
To make things more confusing, if I:
getent -s sss group SOMEGROUP
where SOMEGROUP is a posixGroup on groupldap.
So, it CAN get the group information from the groupldap domain, but it
Is this a bug, or the expected behavior? If this is expected, how do you
get it to search both?
Any help would be greatly appreciated.
sssd-users mailing list