[389-users] (no subject)

harry.devine at faa.gov harry.devine at faa.gov
Tue Oct 22 15:25:37 UTC 2013 

We tried that and, sadly, it made no difference.  In fact, we get LESS 
information that before.  It appears as though we get the main group, and 
it does not know how to dig further to get the sub-groups and group 
members.  Also, we found that our ldap_group_member is called uniqueMember 
and not memberUid.  Perhaps that's unique to your installation?

Any other ideas?  Should we post our sssd.conf?

Thanks,
Harry

Harry Devine
Common ARTS Software Development
AJM-245
(609)485-4218
Harry.Devine at faa.gov



From:
Justin Edmands <shockwavecs at gmail.com>

To:
"General discussion list for the 389 Directory server project." 
<389-users at lists.fedoraproject.org>
Date:
10/22/2013 10:22 AM
Subject:
Re: [389-users] (no subject)
Sent by:
389-users-bounces at lists.fedoraproject.org



On Tue, Oct 22, 2013 at 9:51 AM, <harry.devine at faa.gov> wrote:

We have been working this problem for two weeks debugging. We have 389-ds 
running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap 
clients authenticate correctly to the RHEL6 389-ds directory server and 
with 'id' command can see all groups a user belongs too. 

The same command in a RHEL6 ldap client using sssd shows ONLY the primary 
group. If we change the ldap clients to point at the RHEL5 389-ds 
directory server the same results occur. The one consistency is any RHEL6 
ldap client we setup will authenticate to either RHEL5 or RHEL6 but the 
entire list of groups that user belongs to do not transfer independent of 
server version. We have enumerate set to true and we have 
ldap_group_member set to uniqueMember. These seems to point to the ldap 
client as RHEL5 client works just fine and both RHEL5 and RHEL6 389-ds 
servers react the same but we're not sure how to correct or is it a bug. 
HELP? 

Thanks! 

Harry Devine
Common ARTS Software Development
AJM-245
(609)485-4218
Harry.Devine at faa.gov
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users


I had the same issue. SSSD needs to be told where to pull these from.

I had to add this to the global section of the sssd.conf (you may need to 
disable all caching devices as well. they will hold the old "id" lookups)

ldap_group_member = memberUid
ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com
--
389 users mailing list
389-users at lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20131022/c8744173/attachment.html>

More information about the 389-users mailing list