On Tue, Oct 22, 2013 at 11:25 AM, <[email protected]> wrote: > > We tried that and, sadly, it made no difference. In fact, we get LESS > information that before. It appears as though we get the main group, and > it does not know how to dig further to get the sub-groups and group > members. Also, we found that our ldap_group_member is called uniqueMember > and not memberUid. Perhaps that's unique to your installation? > > Any other ideas? Should we post our sssd.conf? > > Thanks, > Harry > > Harry Devine > Common ARTS Software Development > AJM-245 > (609)485-4218 > [email protected] > > > From: Justin Edmands <[email protected]> > To: "General discussion list for the 389 Directory server project." < > [email protected]> Date: 10/22/2013 10:22 AM Subject: Re: > [389-users] (no subject) Sent by: > [email protected] > ------------------------------ > > > > On Tue, Oct 22, 2013 at 9:51 AM, > <*[email protected]*<[email protected]>> > wrote: > > We have been working this problem for two weeks debugging. We have 389-ds > running and multi-master with 3 RHEL6 servers and a RHEL5. The RHEL5 ldap > clients authenticate correctly to the RHEL6 389-ds directory server and > with 'id' command can see all groups a user belongs too. > > The same command in a RHEL6 ldap client using sssd shows ONLY the primary > group. If we change the ldap clients to point at the RHEL5 389-ds directory > server the same results occur. The one consistency is any RHEL6 ldap client > we setup will authenticate to either RHEL5 or RHEL6 but the entire list of > groups that user belongs to do not transfer independent of server version. > We have enumerate set to true and we have ldap_group_member set to > uniqueMember. These seems to point to the ldap client as RHEL5 client works > just fine and both RHEL5 and RHEL6 389-ds servers react the same but we're > not sure how to correct or is it a bug. HELP? > > Thanks! > > Harry Devine > Common ARTS Software Development > AJM-245* > **(609)485-4218* <%28609%29485-4218>* > **[email protected]* <[email protected]> > -- > 389 users mailing list* > **[email protected]* <[email protected]>* > **https://admin.fedoraproject.org/mailman/listinfo/389-users*<https://admin.fedoraproject.org/mailman/listinfo/389-users> > > > I had the same issue. SSSD needs to be told where to pull these from. > > I had to add this to the global section of the sssd.conf (you may need to > disable all caching devices as well. they will hold the old "id" lookups) > > ldap_group_member = memberUid > ldap_group_search_base = ou=<your group here>,dc=sagedining,dc=com > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > -- > 389 users mailing list > [email protected] > https://admin.fedoraproject.org/mailman/listinfo/389-users >
Please do
-- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
