Hi all

I'm trying to make sssd work with an ancient LDAP server which uses a non RFC2307 compliant schema. It is an IBM Directory server with a decades old AIX proprietary schema

I was able to map the required user's attributes easily in sssd.conf, however I'm running into trouble with the groups.

The problem is that the 'member' attribute in each ldap group is stored in LDAP in an unusual format like this:

... groupname: some_group objectclass: aixaccessgroup member: username=some_user_name1 member: username=some_user_name2 member: username=some_user_name3 ...

so I think the issue is the 'username=' in front of each user id

when i try to list group using getent, i get this:

# getent group some_group some_group:*:1234:username=some_user_name1,username=some_user_name2,username=some_user_name3,..

i.e. the 'username=' string is prepended to each member id.

here is what I have in sssd.conf:

... ldap_user_search_base = ou=aixuser,cn... ldap_user_object_class = aixaccount ldap_user_name = username ldap_user_uid_number = uid ldap_user_gid_number = gid

ldap_group_search_base = ou=aixgroup,cn... ldap_group_object_class = aixaccessgroup ldap_group_gid_number = gid ldap_group_name = groupname ldap_group_member = member ...

When a user logs in and sssd tries to enumerate the group memberships it submits an ldap search as ' [(&(member=some_user_name1)(objectClass=aixaccessgroup)(groupname=*)(&(gid=*)(!(gid=0))))] base: [ou=aixgroup,cn...' and of course that returns nothing.

[sdap_get_generic_op_finished] (0x0400): [RID#6] Search result: Invalid DN syntax(34), no errmsg set [sdap_get_generic_op_finished] (0x0040): [RID#6] Unexpected result from ldap: Invalid DN syntax(34), no errmsg set

I think sssd needs to somehow parse out the username= in the group member attribute. I've searched this list and all over the internet but I could not find anything that sounds similar to my issue

Is there any way to work around this problem?

thank you