[Freeipa-users] SSSD with LDAP not showing secondary groups
Sullivan, Daniel [AAA]
dsullivan2 at bsd.uchicago.edu
Sun Jul 17 02:48:49 UTC 2016
Also, you also might be able to tweak ldap_user_member_of, if you login to a DC and kinit to an IPA user and then ldap query, you should be able to get the LDIF record for a user, i.e.
1) kinit s.cri.ipa-idprovisioner at IPA.CRI.UCHICAGO.EDU<mailto:s.cri.ipa-idprovisioner at ipa.cri.uchicago.edu>
2) ldapsearch -x -b dc=ipa,dc=cri,dc=uchicago,dc=edu
Based on that you should be able to tune your LDAP parameters for SSSD.
Out of curousity is there any reason you are not using the IPA provider instead of LDAP (in SSSD)?
Dan
On Jul 16, 2016, at 9:38 PM, Sullivan, Daniel [AAA] <dsullivan2 at bsd.uchicago.edu<mailto:dsullivan2 at bsd.uchicago.edu>> wrote:
Have you tried different settings for ldap_schema (should be easy to test)?
http://linux.die.net/man/5/sssd-ldap
Dan
On Jul 16, 2016, at 4:19 PM, Peter Pakos <peter at pakos.uk<mailto:peter at pakos.uk>> wrote:
Hi,
I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups.
Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend. It works great, id shows all my secondary groups:
# id peter.pakos
uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow)
After re-configuring sssd to use FreeIPA's LDAP directory, id is only showing primary group, the secondary groups are missing:
# id peter.pakos
uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)
Similarly, getent is not showing group members:
# getent group engineering
engineering:*:511:
Environment:
# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156
This is an example sssd.conf file I'm using in my tests:
[domain/ipa.wandisco.com<http://ipa.wandisco.com/>]
ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://shdc01.ipa.wandisco.com<http://shdc01.ipa.wandisco.com/>, ldaps://shdc02.ipa.wandisco.com<http://shdc02.ipa.wandisco.com/>, ldaps://ashb01.ipa.wandisco.com<http://ashb01.ipa.wandisco.com/>, ldaps://ashb02.ipa.wandisco.com<http://ashb02.ipa.wandisco.com/>, ldaps://frem01.ipa.wandisco.com<http://frem01.ipa.wandisco.com/>
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam
config_file_version = 2
domains = ipa.wandisco.com<http://ipa.wandisco.com/>
[nss]
[pam]
[sudo]
[autofs]
[ssh]
Am I missing anything in the sssd configuration?
Any advice would be greatly appreciated.
--
Kind regards,
Peter Pakos
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.
Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.
Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************
More information about the Freeipa-users
mailing list