[Freeipa-users] SSSD with LDAP not showing secondary groups

Peter Pakos peter at pakos.uk
Sun Jul 17 21:00:28 UTC 2016

On 17 July 2016 at 09:03, Alexander Bokovoy <abokovoy at redhat.com> wrote:

> Your sssd configuration does not mention what DN is used to bind to the
> LDAP server to retrieve the data. This means you are using anonymous
> bind. Since FreeIPA 4.0 there is a number of attributes that are not
> available to anonymous binds, including 'member' and 'memberof'. Thus,
> SSSD does not see membership information when using anonymous binds.
> In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos
> principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
> server, thus all binds are authenticated and 'member'/'memberof'
> attributes are accessible.
> So you either need to enroll machines to IPA and switch your sssd.conf
> to use 'ipa' providers instead of ldap, or define a system account that
> can be used to bind to LDAP by your sssd clients. In short term
> perspective that would probably be an easier fix. For the latter see
> sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.


Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for

ldap_schema = rfc2307bis
ldap_default_bind_dn = *dn*
ldap_default_authtok = *password*

Many thanks!

Kind regards,
 Peter Pakos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160717/df3c10b7/attachment.htm>

More information about the Freeipa-users mailing list