On Tue, Oct 22, 2013 at 9:51 AM, <[email protected]> wrote: > > We have been working this problem for two weeks debugging. We have 389-ds > running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap > clients authenticate correctly to the RHEL6 389-ds directory server and > with 'id' command can see all groups a user belongs too. > > The same command in a RHEL6 ldap client using sssd shows ONLY the primary > group. If we change the ldap clients to point at the RHEL5 389-ds directory > server the same results occur. The one consistency is any RHEL6 ldap client > we setup will authenticate to either RHEL5 or RHEL6 but the entire list of > groups that user belongs to do not transfer independent of server version. > We have enumerate set to true and we have ldap_group_member set to > uniqueMember. These seems to point to the ldap client as RHEL5 client works > just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're > not sure how to correct or is it a bug. HELP? > > Thanks! > > Harry Devine > Common ARTS Software Development > AJM-245 > (609)485-4218 > [email protected] > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
I had the same issue. SSSD needs to be told where to pull these from. I had to add this to the global section of the sssd.conf (you may need to disable all caching devices as well. they will hold the old "id" lookups) ldap_group_member = memberUid ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
