On 21.06.23 17:29, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 16:08, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:57, Alexander Bokovoy wrote:
On Tue, 20 Jun 2023, Ronald Wimmer via FreeIPA-users wrote:
On 20.06.23 15:45, Rob Crittenden via FreeIPA-users wrote:
Ronald Wimmer via FreeIPA-users wrote:
I can and use IPA users on an AIX client. As well as groups. But
somehow
group membership does not seem to be configured correctly...
# id y179768
uid=1246660005(y179768) gid=1246660005(y179768)
# lsgroup -R LDAP ipa-aix-g
ipa-aix-g id=1246690508 users= registry=LDAP
Anyone has a hint what could be misconfigured?
There isn't enough information. How is LDAP configured, what
search bases?
What is ipa-aix-g? What membership do you expect?
How does the group relate to the user you id'd?
I'll try to clarify.
ipa-aix-g is the IPA group containing several members as y179768
for example.
/etc/security/ldap/ldap.cfg:
userbasedn:cn=users,cn=accounts,dc=linux,dc=mydomain,dc=at
groupbasedn:cn=groups,cn=accounts,dc=linux,dc=mydomain,dc=at
Which LDAP schema AIX configuration is expecting to use? RFC2307 or
RFC2307bis?
The primary LDAP tree in FreeIPA is using RFC2307bis (e.g.
member/memberof, not memberuid attributes).
I did not do the AIX client configuration by myself. I am just trying
to assist my AIX colleagues to find the problem...
What I saw were two map files in /etc/security/ldap named
2307user.map and 2307group.map. So I am suspecting that they are
trying to use RFC2307. In order to use that we would need to use a
different configuration? Is this where the compat tree comes into place?
Correct. If your clients are using RFC2307, compat tree is what could be
used to provide them the data in the format they expect. However, I'd
rather ask AIX admins to use RFC2307bis. For example,
https://www.ibm.com/support/pages/aix-how-configure-aix-ldap-or-krb5ldap-client
talks about other maps for AD (which is also using member/memberof, not
memberuid).
Just to avoid any confusion. Is the link you provided an example for
2307bis configuration? I am asking because the term "2307bis" is not
mentioned at all in the article...
It isn't and the group configuration is rather subtle.
Near as I can tell you want to look for:
#users SEC_LIST memberUid m na yes
users SEC_LIST member m na yes
memberUid is RFC 2307 and member is RFC 2307bis.
I tried to configure an AIX client the bis way. Now the IPA group shows
its members. Perfect. However, the id command does not list the IPA
group. As a result, sudo commands do not work because these rights were
given to the IPA group.
I've added
groups SEC_LIST memberof s na yes
to the 2307bisuser.map file because I thought that might fit. But
unfortunately it did not.
What might I be missing?
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
