[389-users] (no subject)

Justin Edmands shockwavecs at gmail.com
Tue Oct 22 15:27:31 UTC 2013 

On Tue, Oct 22, 2013 at 11:25 AM, <harry.devine at faa.gov> wrote:

>
> We tried that and, sadly, it made no difference.  In fact, we get LESS
> information that before.  It appears as though we get the main group, and
> it does not know how to dig further to get the sub-groups and group
> members.  Also, we found that our ldap_group_member is called uniqueMember
> and not memberUid.  Perhaps that's unique to your installation?
>
> Any other ideas?  Should we post our sssd.conf?
>
> Thanks,
> Harry
>
> Harry Devine
> Common ARTS Software Development
> AJM-245
> (609)485-4218
> Harry.Devine at faa.gov
>
>
>  From: Justin Edmands <shockwavecs at gmail.com>
>  To: "General discussion list for the 389 Directory server project." <
> 389-users at lists.fedoraproject.org> Date: 10/22/2013 10:22 AM Subject: Re:
> [389-users] (no subject) Sent by:
> 389-users-bounces at lists.fedoraproject.org
> ------------------------------
>
>
>
> On Tue, Oct 22, 2013 at 9:51 AM, <*harry.devine at faa.gov*<harry.devine at faa.gov>>
> wrote:
>
> We have been working this problem for two weeks debugging. We have 389-ds
> running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap
> clients authenticate correctly to the RHEL6 389-ds directory server and
> with 'id' command can see all groups a user belongs too.
>
> The same command in a RHEL6 ldap client using sssd shows ONLY the primary
> group. If we change the ldap clients to point at the RHEL5 389-ds directory
> server the same results occur. The one consistency is any RHEL6 ldap client
> we setup will authenticate to either RHEL5 or RHEL6 but the entire list of
> groups that user belongs to do not transfer independent of server version.
> We have enumerate set to true and we have ldap_group_member set to
> uniqueMember. These seems to point to the ldap client as RHEL5 client works
> just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're
> not sure how to correct or is it a bug. HELP?
>
> Thanks!
>
> Harry Devine
> Common ARTS Software Development
> AJM-245*
> **(609)485-4218* <%28609%29485-4218>*
> **Harry.Devine at faa.gov* <Harry.Devine at faa.gov>
> --
> 389 users mailing list*
> **389-users at lists.fedoraproject.org* <389-users at lists.fedoraproject.org>*
> **https://admin.fedoraproject.org/mailman/listinfo/389-users*<https://admin.fedoraproject.org/mailman/listinfo/389-users>
>
>
> I had the same issue. SSSD needs to be told where to pull these from.
>
> I had to add this to the global section of the sssd.conf (you may need to
> disable all caching devices as well. they will hold the old "id" lookups)
>
> ldap_group_member = memberUid
> ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>


Please do
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20131022/8e19ee59/attachment.html>

More information about the 389-users mailing list