[Freeipa-users] SSSD with LDAP not showing secondary groups
Jakub Hrozek
jhrozek at redhat.com
Mon Jul 18 08:24:34 UTC 2016
On Sun, Jul 17, 2016 at 10:00:28PM +0100, Peter Pakos wrote:
> On 17 July 2016 at 09:03, Alexander Bokovoy <abokovoy at redhat.com> wrote:
>
> > Your sssd configuration does not mention what DN is used to bind to the
> > LDAP server to retrieve the data. This means you are using anonymous
> > bind. Since FreeIPA 4.0 there is a number of attributes that are not
> > available to anonymous binds, including 'member' and 'memberof'. Thus,
> > SSSD does not see membership information when using anonymous binds.
> >
> > In normally enrolled IPA clients host/ipa.client at IPA.REALM Kerberos
> > principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
> > server, thus all binds are authenticated and 'member'/'memberof'
> > attributes are accessible.
> >
> > So you either need to enroll machines to IPA and switch your sssd.conf
> > to use 'ipa' providers instead of ldap, or define a system account that
> > can be used to bind to LDAP by your sssd clients. In short term
> > perspective that would probably be an easier fix. For the latter see
> > sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.
>
>
> Bingo!
>
> Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for
> us:
>
> ldap_schema = rfc2307bis
> ldap_default_bind_dn = *dn*
> ldap_default_authtok = *password*
>
> Many thanks!
I'm glad it works now, but why did you choose to use the LDAP back end
over the IPA back end? By using LDAP, you gain the ability to not enroll
clients with ipa-client-install, but you loose the ease of
manageability, HBAC, easy SUDO integration, not to mention you need to
put passwords into the config file..
More information about the Freeipa-users
mailing list