I've been handed a requirement to created nested groups in our LDAP directory for our Posix logins to ease our admin load. We are using RHEL6.1 and SSSD 1.5.x from Redhat, along with OpenLDAP 2.4.x. I have loaded up a test VM with all the appropriate software, but for the life of me I can't make it work.
For starters, I'm using the rfc2307bis schema, meaning I want a groupOfNames with member attributes that are complete DNs. I've included all the appropriate files/config at the end of this email, but the base premis is this: I have an ou=People organizational group with four users (Alpha, Bravo, Charlie, and Delta). Each is an inetOrgPerson and posixAccount with a gidNumber of 1000 and a uidNumber of 10001-10004. I have an ou=Groups organizational group with two posixGroup groups (cn=Fruits and cn=Nuts) with gidNumbers of 1001 and 1002. At the same level, I have 8 more groups (Apple, Banana, Cherry, Date and Almond, Brazil, Cashew and Doughnut). These are just groupOfNames object, not posixGroups. As you would expect, Fruits' members list will contain cn=[Apple|Banana|Cherry| Date],ou=Groups,dc=example,dc=com and Nuts' members list will contain cn=[Almond|Brazil|Cashew|Doughnut],ou=Groups,dc=example,dc=com. We'll start off my example without them, and add them as needed. Also, just for completeness, there is a cn=Users,ou=Groups entry with gidNumber=1000 (for the default group of each user). Now, the fun part. I want to have user Alpha be a Fruit. So, I add his dn to cn=Fruits: dn: cn=Fruits,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: posixGroup gidNumber: 1001 cn: fruits member: cn=User Alpha,ou=People,dc=example,dc=com (here's user alpha's definition) dn: cn=User Alpha,ou=People,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount cn: User Alpha sn: Alpha gidNumber: 1000 homeDirectory: /home/alpha uidNumber: 10001 uid: alpha I ask NSS about him, and I get this: # id alpha uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) Well, that's great. Now lets add him to nuts, too: # ldapsearch -xLLL cn=nuts dn: cn=Nuts,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: posixGroup gidNumber: 1002 cn: nuts member: cn=User Alpha,ou=People,dc=example,dc=com And now he's a fruit and a nut. Perfect. # id alpha uid=10001(alpha) gid=1000(users) groups=1000(users),1002(nuts),1001(fruits) In my organization, there are lots of nuts. We'd like to categorize our nuts a little better, and User Alpha is definitely a Doughnut. So, we'll take him our of the cn=Nuts group and put him in cn=Doughnut. After just adding him to cn=Doughnut, we don't expect that list to show up in the nss list of groups, because Doughnut is not a posixGroup. Here's the list structure so far: dn: cn=Nuts,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: posixGroup gidNumber: 1002 cn: nuts dn: cn=Doughnut,ou=Groups,dc=example,dc=com objectClass: groupOfNames cn: doughnut member: cn=User Alpha,ou=People,dc=example,dc=com # id alpha uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) Perfect. He's still a fruit, but not yet a nut. Now, the kicker. According to my understanding, I should be able to put cn=Doughnut,ou=Groups,dc=example,dc=com into the member list of cn=Nuts,ou=Groups,dc=example,dc=com and our buddy User Alpha should become part of posix group nuts: dn: cn=Nuts,ou=Groups,dc=example,dc=com objectClass: groupOfNames objectClass: posixGroup gidNumber: 1002 cn: nuts member: cn=Doughnut,ou=Groups,dc=example,dc=com dn: cn=Doughnut,ou=Groups,dc=example,dc=com objectClass: groupOfNames cn: doughnut member: cn=User Alpha,ou=People,dc=example,dc=com But alas: # id alpha uid=10001(alpha) gid=1000(users) groups=1000(users),1001(fruits) And this is where the gnashing of teeth, pulling of hair, and wailing begin. # getent group root:x:0:root ... users:*:1000: fruits:*:1001:alpha nuts:*:1002: # getent group nuts nuts:*:1002: This one really puzzles me: # sss_groupshow fruits Error initializing the tools - no local domain So, that's where I stand, on the brink between success and failure. On the precipitice of unemployment, and I beseech the wisdom of the crowd to rescue me. Somewhere in the following sssd.conf file, or in my LDAP schema, or in SOMETHING, I'm missing a line, or have something misconfigured. I'm at your collective mercy. sssd.conf: [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LDAP [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 60 entry_cache_nowait_timeout = 30 enum_cache_timeout = 30 [pam] reconnection_retries = 3 [domain/LDAP] ldap_uri = ldap://smbtest2 auth_provider = ldap id_provider = ldap chpass_provider = ldap te = true entry_cache_timeout = 10 cache_credentials = false ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_tls_cacert = /etc/pki/tls/certs/slapdcert.pem ldap_enumeration_refresh_timeout = 10 ldap_purge_cache_timeout = 10 ldap_group_nesting_level = 5 debug_level = 5 /etc/nsswitch.conf: # passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus /etc/ldap.conf (even though it should not be used, because SSS is handling NSS) base dc=example,dc=com uri ldap://smbtest2 ldap_version 3 scope sub restart yes pam_template_login_attribute uid pam_password md5 bind_policy soft network_timeout 5 timelimit 10 bind_timelimit 10 tls_cacertfile /etc/pki/tls/certs/slapdcert.pem ssl start_tls nss_schema rfc2307bis nss_base_netgroup ou=Netgroups,dc=example,dc=com nss_connect_policy persist nss_map_attribute uniqueMember member I have slightly modified the LDAP schemas to allow for empty groupOfNames (i.e. no members), and to make RFC2307bis work. Any other files, debug output, logs, etc are available on request. If I don't get this working, we'll wind up having to use netgroups and nis-like construts, which I feel is a giant step backward in time. Finally, I realize this is a "devel" list and not an "end user help" list, but I'm unsure of where else to turn. Thanks in advance. John Gorkos _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
