On to, 12 heinä 2018, Jakub Hrozek via FreeIPA-users wrote:
On Thu, Jul 12, 2018 at 10:54:55AM +0300, Alexander Bokovoy via FreeIPA-users
wrote:
On to, 12 heinä 2018, tolotos--- via FreeIPA-users wrote:
> Hi,
>
> we have done some additional testing and debugging.
>
> It seems there some problems with the extdom-extop plugin in the directory
server.
>
> If we set ignore_group_members, the first request get a good response.
> (tested by: server: sssctl cache-remove -p -s -o ; sleep 1; stop-dirsrv ;
sleep 1; start-dirsrv / client: sssctl cache-remove -p -s -o ; sleep 1; sssctl
user-checks user@ad.domain)
>
> However, starting with the second requests the extdom-extop returns every
request with an err=32 Object Not Found.
>
> We already tried to increase ipaextdommaxnssbufsize and
ipaextdommaxnsstimeout.
> (we increased error log level on dirsrv to be sure that the values are used:
Maximal nss buffer size set to [268435456]! / Maximal nss timeout (in ms) set to
[100000]!)
>
> Someone some ideas where to look from here?
Setting ignore_group_members on IPA masters does not really allow extdom
plugin to work well.
Are you sure? I've seen quite a few users enabling this switch..
(Maybe you meant the compat tree which also publishes the group
members?)
Compat tree does exactly same calls like extdom plugin. They both
retrieve membership information from sssd.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/QPZXMAX7FOF3LYUFKUGTQ2AIJIIGVAGY/
