[Freeipa-users] SSSD with LDAP not showing secondary groups
Peter Pakos
peter at pakos.uk
Sat Jul 16 21:19:13 UTC 2016
Hi,
I'm about to move our FreeIPA platform into production on Monday but I've
just noticed a worrying issue with sssd - getent group is not showing group
members and id is not showing secondary groups.
Currently all our servers are configured with sssd using our old LDAP
(389-ds) as a backend. It works great, id shows all my secondary groups:
# id peter.pakos
uid=1396(peter.pakos) gid=511(Engineering)
groups=511(Engineering),718(DevOps),701(SSHAllow)
After re-configuring sssd to use FreeIPA's LDAP directory, id is only
showing primary group, the secondary groups are missing:
# id peter.pakos
uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)
Similarly, getent is not showing group members:
# getent group engineering
engineering:*:511:
Environment:
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
This is an example sssd.conf file I'm using in my tests:
[domain/ipa.wandisco.com]
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://shdc01.ipa.wandisco.com,
ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com,
ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam
config_file_version = 2
domains = ipa.wandisco.com
[nss]
[pam]
[sudo]
[autofs]
[ssh]
Am I missing anything in the sssd configuration?
Any advice would be greatly appreciated.
--
Kind regards,
Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160716/3cac63e1/attachment.htm>
More information about the Freeipa-users
mailing list