[Freeipa-users] SSS problems with eDirectory

Scott Duckworth sduckwo at clemson.edu
Fri Jul 23 21:17:11 UTC 2010 

On Fri, Jul 23, 2010 at 6:16 AM, Sumit Bose <sbose at redhat.com> wrote:

> On Thu, Jul 22, 2010 at 04:49:50PM -0400, Simo Sorce wrote:
> > On Thu, 22 Jul 2010 16:22:45 -0400
> > Scott Duckworth <sduckwo at clemson.edu> wrote:
> >
> > > On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce <ssorce at redhat.com> wrote:
> > >
> > > > On Thu, 22 Jul 2010 15:30:23 -0400
> > > > Scott Duckworth <sduckwo at clemson.edu> wrote:
> > > >
> > > > > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce <ssorce at redhat.com>
> > > > > wrote:
> > > > >
> > > > > > On Thu, 22 Jul 2010 11:10:25 -0400
> > > > > > Scott Duckworth <sduckwo at clemson.edu> wrote:
> > > > > >
> > > > > > > I removed all files from /var/lib/sss/db/ and restarted sssd.
> > > > > > > Same behavior.  nscd is disabled, so I don't think it's
> > > > > > > caching at any level.
> > > > > > >
> > > > > > > Here is what I ran:
> > > > > > >
> > > > > > > [root at duck2 ~]# getent passwd sduckwo
> > > > > > > sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash
> > > > > > > [root at duck2 ~]# groups sduckwo
> > > > > > > sduckwo : cuuser
> > > > > > > [root at duck2 ~]# getent group coes_socunix
> > > > > > > coes_socunix:*:120105:sduckwo
> > > > > >
> > > > > >
> > > > > I should add to this, that what I expected to see is this (from
> > > > > one of the RHEL boxes using nss_ldap):
> > > > >
> > > > > [root at potter commands]# groups sduckwo
> > > > > sduckwo : cuuser coes_dpa coes_socunix coes_web_cs coes_web_fx
> > > >
> > > > If you log in as sduckwo you should just see that.
> > > > The same if you do "id sduckwo"
> > > >
> > >
> > > No go...
> > >
> > > [root at duck2 ~]# service sssd stop
> > > [root at duck2 ~]# rm -f /var/lib/sss/db/*
> > > [root at duck2 ~]# service nscd stop
> > > [root at duck2 ~]# service sssd start
> > > Starting sssd:                                             [  OK  ]
> > > [root at duck2 ~]# id sduckwo
> > > uid=45265(sduckwo) gid=10000(cuuser) groups=10000(cuuser)
> > > [root at duck2 ~]# su - sduckwo
> > > [16:05:24] sduckwo at duck2:~ [1] id
> > > uid=45265(sduckwo) gid=10000(cuuser) groups=10000(cuuser)
> > > [16:05:26] sduckwo at duck2:~ [2] groups
> > > cuuser
> >
> > Uhmmm this may be a side effect of your directory not having memberof
> > I think we need to add special code to handle servers that use
> > rfc2307bis schema but that do not use memberof.
>
> In my test setup eDirectory uses an attribute named groupMembership in
> the user object to store the DN of the groups the user belongs to. Can
> you check if adding the option
>
> ldap_user_member_of = groupMembership
>
> does help here?
>

I've learned that this attribute does exist in our tree, but it's not being
populated when we add users to groups since our proxy user does not have
rights to write groupMembership to users.  I'm trying to find out if we can
get our hands on native eDirectory tools that keep groupMembership of
posixAccount and member of posixGroup in sync.

Still, if groupOf/groupMembership is not required by rfc2307bis, it would be
nice if SSSD did not require it.

If a user has a groupOf/groupMembership attribute pointing to a group
outside of ldap_group_search_base, will this be handled gracefully?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100723/8bd7f293/attachment.htm>

More information about the Freeipa-users mailing list