harry.devine@xxxxxxx wrote:
We tried that and, sadly, it made no difference. In fact, we get LESS information that before. It appears as though we get the main group, and it does not know how to dig further to get the sub-groups and group members. Also, we found that our ldap_group_member is called uniqueMember and not memberUid. Perhaps that's unique to your installation? Any other ideas? Should we post our sssd.conf?
You may want to cross-post this on the sssd-users mailing list, https://lists.fedorahosted.org/mailman/listinfo/sssd-users
rob
Thanks, Harry Harry Devine Common ARTS Software Development AJM-245 (609)485-4218 Harry.Devine@xxxxxxx From: Justin Edmands <shockwavecs@xxxxxxxxx> To: "General discussion list for the 389 Directory server project." <389-users@xxxxxxxxxxxxxxxxxxxxxxx> Date: 10/22/2013 10:22 AM Subject: Re: (no subject) Sent by: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------------------------ On Tue, Oct 22, 2013 at 9:51 AM, <_harry.devine@faa.gov_ <mailto:harry.devine@xxxxxxx>> wrote: We have been working this problem for two weeks debugging. We have 389-ds running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap clients authenticate correctly to the RHEL6 389-ds directory server and with 'id' command can see all groups a user belongs too. The same command in a RHEL6 ldap client using sssd shows ONLY the primary group. If we change the ldap clients to point at the RHEL5 389-ds directory server the same results occur. The one consistency is any RHEL6 ldap client we setup will authenticate to either RHEL5 or RHEL6 but the entire list of groups that user belongs to do not transfer independent of server version. We have enumerate set to true and we have ldap_group_member set to uniqueMember. These seems to point to the ldap client as RHEL5 client works just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're not sure how to correct or is it a bug. HELP? Thanks! Harry Devine Common ARTS Software Development AJM-245_ __(609)485-4218_ <tel:%28609%29485-4218>_ __Harry.Devine@faa.gov_ <mailto:Harry.Devine@xxxxxxx> -- 389 users mailing list_ __389-users@lists.fedoraproject.org_ <mailto:389-users@xxxxxxxxxxxxxxxxxxxxxxx>_ __https://admin.fedoraproject.org/mailman/listinfo/389-users_ I had the same issue. SSSD needs to be told where to pull these from. I had to add this to the global section of the sssd.conf (you may need to disable all caching devices as well. they will hold the old "id" lookups) ldap_group_member = memberUid ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
