[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups



On 17 July 2016 at 09:03, Alexander Bokovoy <abokovoy redhat com> wrote:
Your sssd configuration does not mention what DN is used to bind to the
LDAP server to retrieve the data. This means you are using anonymous
bind. Since FreeIPA 4.0 there is a number of attributes that are not
available to anonymous binds, including 'member' and 'memberof'. Thus,
SSSD does not see membership information when using anonymous binds.

In normally enrolled IPA clients host/ipa client IPA REALM Kerberos
principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
server, thus all binds are authenticated and 'member'/'memberof'
attributes are accessible.

So you either need to enroll machines to IPA and switch your sssd.conf
to use 'ipa' providers instead of ldap, or define a system account that
can be used to bind to LDAP by your sssd clients. In short term
perspective that would probably be an easier fix. For the latter see
sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.

Bingo!

Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for us:

ldap_schema = rfc2307bis
ldap_default_bind_dn = *dn*
ldap_default_authtok = *password*

Many thanks!
 
--
Kind regards,
 Peter Pakos

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]