On Чцв, 18 сту 2024, Florence Blanc-Renaud via FreeIPA-users wrote:
Hi,
On Thu, Jan 18, 2024 at 12:03 PM Finn Fysj via FreeIPA-users <
[email protected]> wrote:
I'm experiencing problems on my RHEL 9 instance when looking up members of
group using getent group <GROUP NAME>. I can only get users which has
direct access to a group, and no the "user groups" part of the group.
My sssd.conf:
[domain/<DOMAIN>]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = ldap
If your provider is LDAP (and not IPA), you should ask on this mailing
list instead: [email protected] (see
https://sssd.io/community.html).
If the server side is IPA, why the client is configured with LDAP
provider?
I also do not see in the configuration above whether you have configured
SSSD to use authentication when talking to LDAP server (IPA?). Did you
simply omit them in the email or they are fully missing?
E.g. 'ldap_default_bind_dn' and 'ldap_default_authtok' are missing.
Without authenticated bind, one cannot see member values:
dn: cn=groups,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "member || memberhost || memberof || memberuid || memberuser")(targetfilter =
"(|(objectclass=ipausergroup)(objectclass=posixgroup))")(version 3.0;acl "permission:System: Read Group
Membership";allow (compare,read,search) userdn = "ldap:///all";;)
For any POSIX group you can only read those attributes when
authenticated.
flo
ldap_uri = ldaps:/ipa.example.com
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=example,dc=com
[sssd]
services = nss, pam, sudo
domains = default
[nss]
homedir_substring = /home
[pam]
[sudo]
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
