[Freeipa-users] SSSD with LDAP not showing secondary groups

Alexander Bokovoy abokovoy at redhat.com
Sun Jul 17 08:03:34 UTC 2016 

On Sun, 17 Jul 2016, Sullivan, Daniel [AAA] wrote:
>Have you tried different settings for ldap_schema (should be easy to test)?
>
>http://linux.die.net/man/5/sssd-ldap
>
>Dan
>
>On Jul 16, 2016, at 4:19 PM, Peter Pakos <peter at pakos.uk<mailto:peter at pakos.uk>> wrote:
>
>Hi,
>
>I'm about to move our FreeIPA platform into production on Monday but
>I've just noticed a worrying issue with sssd - getent group is not
>showing group members and id is not showing secondary groups.
>
>Currently all our servers are configured with sssd using our old LDAP
>(389-ds) as a backend. It works great, id shows all my secondary
>groups:
>
># id peter.pakos
>uid=1396(peter.pakos) gid=511(Engineering) groups=511(Engineering),718(DevOps),701(SSHAllow)
>
>After re-configuring sssd to use FreeIPA's LDAP directory, id is only
>showing primary group, the secondary groups are missing:
>
># id peter.pakos
>uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)
>
>Similarly, getent is not showing group members:
>
># getent group engineering
>engineering:*:511:
Your sssd configuration does not mention what DN is used to bind to the
LDAP server to retrieve the data. This means you are using anonymous
bind. Since FreeIPA 4.0 there is a number of attributes that are not
available to anonymous binds, including 'member' and 'memberof'. Thus,
SSSD does not see membership information when using anonymous binds.

In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos
principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
server, thus all binds are authenticated and 'member'/'memberof'
attributes are accessible.

So you either need to enroll machines to IPA and switch your sssd.conf
to use 'ipa' providers instead of ldap, or define a system account that
can be used to bind to LDAP by your sssd clients. In short term
perspective that would probably be an easier fix. For the latter see
sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.

>
>Environment:
>
># cat /etc/redhat-release
>CentOS Linux release 7.2.1511 (Core)
># ipa --version
>VERSION: 4.2.0, API_VERSION: 2.156
>
>This is an example sssd.conf file I'm using in my tests:
>
>
>[domain/ipa.wandisco.com<http://ipa.wandisco.com/>]
>ldap_tls_reqcert = demand
>ldap_id_use_start_tls = True
>cache_credentials = True
>ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
>ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
>ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
>id_provider = ldap
>auth_provider = ldap
>chpass_provider = ldap
>ldap_uri = ldaps://shdc01.ipa.wandisco.com<http://shdc01.ipa.wandisco.com/>, ldaps://shdc02.ipa.wandisco.com<http://shdc02.ipa.wandisco.com/>, ldaps://ashb01.ipa.wandisco.com<http://ashb01.ipa.wandisco.com/>, ldaps://ashb02.ipa.wandisco.com<http://ashb02.ipa.wandisco.com/>, ldaps://frem01.ipa.wandisco.com<http://frem01.ipa.wandisco.com/>
>ldap_tls_cacert = /etc/ipa/ca.crt
>
>[sssd]
>services = nss, pam
>config_file_version = 2
>domains = ipa.wandisco.com<http://ipa.wandisco.com/>
>
>[nss]
>
>[pam]
>
>[sudo]
>
>[autofs]
>
>[ssh]
>
>Am I missing anything in the sssd configuration?
>
>Any advice would be greatly appreciated.
>
>--
>Kind regards,
> Peter Pakos
>--
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project
>
>********************************************************************************
>This e-mail is intended only for the use of the individual or entity to which
>it is addressed and may contain information that is privileged and confidential.
>If the reader of this e-mail message is not the intended recipient, you are
>hereby notified that any dissemination, distribution or copying of this
>communication is prohibited. If you have received this e-mail in error, please
>notify the sender and destroy all copies of the transmittal.
>
>Thank you
>University of Chicago Medicine and Biological Sciences
>********************************************************************************
>
>-- 
>Manage your subscription for the Freeipa-users mailing list:
>https://www.redhat.com/mailman/listinfo/freeipa-users
>Go to http://freeipa.org for more info on the project

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list