I've setup two new IPA nodes which I migrated users & groups from an old IPA server. When I do a ldapsearch -x uid=test-user on my client I'm not able to receive LDAP attributes such as memberof and ipaSshPubKey. However, this is possible if I log onto the IPA nodes and do the ldapsearch.
I can confirm that by running ldapsearch -H ldaps://old.ipa.example.com uid=test-user I can receive wanted attributes. On new IPA node: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-xxxxxxxxxxxx givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 Old IPA: dn: uid=test-user,cn=users,cn=accounts,dc=example,dc=com ipaNTSecurityIdentifier: S-1-5-21-xxxxxxxxxxxx givenName: Test sn: User uid: test-user cn: Test User displayName: Test User initials: TU gecos: Test User objectClass: top objectClass: person objectClass: organizationalperson objectClass: inetorgperson objectClass: inetuser objectClass: posixaccount objectClass: krbprincipalaux objectClass: krbticketpolicyaux objectClass: ipaobject objectClass: ipasshuser objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs loginShell: /bin/sh homeDirectory: /home/test-user uidNumber: 5015 gidNumber: 5015 memberOf: cn=admins,cn=groups,cn=accounts,dc=example,dc=com ipaSshPubKey: ssh-rsa .......... It's important to note, we're not using Kerberos for authentication, nor is ipa-client being used. /etc/sssd/sssd.conf [domain/default] id_provider = ldap auth_provider = ldap chpass_provider = ldap sudo_provider = ldap ldap_uri = ldaps://ipa.example.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com ldap_sudo_search_base = ou=sudoers,dc=example,dc=com ldap_id_use_start_tls = true ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow cache_credentials = true [sssd] services = nss, pam, sudo domains = default [nss] homedir_substring = /home [pam] [sudo] /etc/openldap/ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com /etc/sudo-ldap.conf: BASE dc=example,dc=com URI ldap://ipa.example.com SASL_NOCANON on TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CACERTDIR /etc/openldap/cacerts sudoers_base ou=sudoers,dc=example,dc=com _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
