Hi all
I'm trying to make sssd work with an ancient LDAP server which uses a non RFC2307
compliant schema. It is an IBM Directory server with a decades old AIX proprietary
schema
I was able to map the required user's attributes easily in sssd.conf, however I'm
running into trouble with the groups.
The problem is that the 'member' attribute in each ldap group is stored in LDAP in
an unusual format like this:
...
groupname: some_group
objectclass: aixaccessgroup
member: username=some_user_name1
member: username=some_user_name2
member: username=some_user_name3
...
so I think the issue is the 'username=' in front of each user id
when i try to list group using getent, i get this:
# getent group some_group
some_group:*:1234:username=some_user_name1,username=some_user_name2,username=some_user_name3,..
i.e. the 'username=' string is prepended to each member id.
here is what I have in sssd.conf:
...
ldap_user_search_base = ou=aixuser,cn...
ldap_user_object_class = aixaccount
ldap_user_name = username
ldap_user_uid_number = uid
ldap_user_gid_number = gid
ldap_group_search_base = ou=aixgroup,cn...
ldap_group_object_class = aixaccessgroup
ldap_group_gid_number = gid
ldap_group_name = groupname
ldap_group_member = member
...
When a user logs in and sssd tries to enumerate the group memberships it submits an ldap
search as '
[(&(member=some_user_name1)(objectClass=aixaccessgroup)(groupname=*)(&(gid=*)(!(gid=0))))]
base: [ou=aixgroup,cn...' and of course that returns nothing.
[sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Invalid DN syntax(34), no
errmsg set
[sdap_get_generic_op_finished] (0x0040): [RID#6] Unexpected result from ldap: Invalid DN
syntax(34), no errmsg set
I think sssd needs to somehow parse out the username= in the group member attribute.
I've searched this list and all over the internet but I could not find anything that
sounds similar to my issue
Is there any way to work around this problem?
thank you
Show replies by date
narrowing it down a bit, it looks like the aix group schema is very close to rfc2307bis
with one exception that the member id is stored only as a partial dn:
[sdap_find_entry_by_origDN] (0x4000): Searching cache for [username=some_user_name1].
[sdap_fill_memberships] (0x0080): Member [username=some_user_name1] was not found in
cache. Is it out of scope?
so may be this can be fixed with a small change to append the ldap_user_search_base to the
member id in the sdap_find_entry_by_origDN function?
am i on the right track here?