On Thu, Jul 22, 2010 at 04:49:50PM -0400, Simo Sorce wrote:
> On Thu, 22 Jul 2010 16:22:45 -0400
> Scott Duckworth <sduc...@clemson.edu> wrote:
> 
> > On Thu, Jul 22, 2010 at 3:39 PM, Simo Sorce <sso...@redhat.com> wrote:
> > 
> > > On Thu, 22 Jul 2010 15:30:23 -0400
> > > Scott Duckworth <sduc...@clemson.edu> wrote:
> > >
> > > > On Thu, Jul 22, 2010 at 11:59 AM, Simo Sorce <sso...@redhat.com>
> > > > wrote:
> > > >
> > > > > On Thu, 22 Jul 2010 11:10:25 -0400
> > > > > Scott Duckworth <sduc...@clemson.edu> wrote:
> > > > >
> > > > > > I removed all files from /var/lib/sss/db/ and restarted sssd.
> > > > > > Same behavior.  nscd is disabled, so I don't think it's
> > > > > > caching at any level.
> > > > > >
> > > > > > Here is what I ran:
> > > > > >
> > > > > > [r...@duck2 ~]# getent passwd sduckwo
> > > > > > sduckwo:*:45265:10000:Scott Duckworth:/home/sduckwo:/bin/bash
> > > > > > [r...@duck2 ~]# groups sduckwo
> > > > > > sduckwo : cuuser
> > > > > > [r...@duck2 ~]# getent group coes_socunix
> > > > > > coes_socunix:*:120105:sduckwo
> > > > >
> > > > >
> > > > I should add to this, that what I expected to see is this (from
> > > > one of the RHEL boxes using nss_ldap):
> > > >
> > > > [r...@potter commands]# groups sduckwo
> > > > sduckwo : cuuser coes_dpa coes_socunix coes_web_cs coes_web_fx
> > >
> > > If you log in as sduckwo you should just see that.
> > > The same if you do "id sduckwo"
> > >
> > 
> > No go...
> > 
> > [r...@duck2 ~]# service sssd stop
> > [r...@duck2 ~]# rm -f /var/lib/sss/db/*
> > [r...@duck2 ~]# service nscd stop
> > [r...@duck2 ~]# service sssd start
> > Starting sssd:                                             [  OK  ]
> > [r...@duck2 ~]# id sduckwo
> > uid=45265(sduckwo) gid=10000(cuuser) groups=10000(cuuser)
> > [r...@duck2 ~]# su - sduckwo
> > [16:05:24] sduc...@duck2:~ [1] id
> > uid=45265(sduckwo) gid=10000(cuuser) groups=10000(cuuser)
> > [16:05:26] sduc...@duck2:~ [2] groups
> > cuuser
> 
> Uhmmm this may be a side effect of your directory not having memberof
> I think we need to add special code to handle servers that use
> rfc2307bis schema but that do not use memberof.

In my test setup eDirectory uses an attribute named groupMembership in
the user object to store the DN of the groups the user belongs to. Can
you check if adding the option

ldap_user_member_of = groupMembership

does help here?

bye,
Sumit

> 
> > I'm unable to actually login due to pam_sss not working (see another
> > branch of this thread).
> 
> Yes, I think we need to file a few bugs and add support for servers
> like yours.
> 
> > > Of cours when a user logs in its information (including its group
> > > > > membership) is refreshed and validated, so at login time the
> > > > > membership is correctly updated for that user across all its
> > > > > groups.
> > > > >
> > > >
> > > > This seems to contradict your statement above, and also the
> > > > behavior I'm seeing.  It's not picking up secondary group
> > > > memberships unless they've already been cached, either through an
> > > > explicit getent or, presumably (if it ever finishes), via
> > > > enumeration.
> > >
> > > Your configuration showed that enumeration is disabled (as it should
> > > be), have you changed that ?
> > >
> > 
> > I did enable enumeration per what I thought was your previous
> > suggestion. I've now disabled it again.  To be clear, my current
> > sssd.conf is:
> > 
> > [sssd]
> > config_file_version = 2
> > reconnection_retries = 3
> > sbus_timeout = 30
> > services = nss, pam
> > domains = CLEMSONU
> > [nss]
> > debug_level = 7
> > filter_groups = root
> > filter_users = root
> > reconnection_retries = 3
> > entry_cache_timeout = 1
> > entry_cache_nowait_timeout = 1
> > [pam]
> > debug_level = 7
> > reconnection_retries = 3
> > [domain/CLEMSONU]
> > debug_level = 20
> > enumerate = False
> > cache_credentials = False
> > id_provider = ldap
> > auth_provider = ldap
> > ldap_schema = rfc2307bis
> > chpass_provider = ldap
> > min_id = 1000
> > ldap_uri = ldaps://clemsonuldap.clemson.edu
> > ldap_id_use_start_tls = False
> > ldap_tls_cacertdir = /etc/openldap/cacerts
> > tls_reqcert = demand
> > ldap_default_bind_dn = cn=CoESProxy,ou=proxyUsers,o=CLEMSONU
> > ldap_default_authtok_type = password
> > ldap_default_authtok = xxxxxx
> > ldap_search_base = ou=SoC,ou=CES,o=CLEMSONU
> > ldap_user_search_base = o=CLEMSONU
> > ldap_group_search_base = o=CLEMSONU
> > ldap_user_shell = coesLoginShell
> > ldap_user_gecos = fullName
> > ldap_user_fullname = fullName
> > ldap_pwd_policy = none
> > 
> > and /etc/openldap/ldap.conf is:
> > 
> > DEREF           always
> > URI ldaps://clemsonuldap.clemson.edu
> > BASE ou=SoC,ou=CES,o=CLEMSONU
> > TLS_CACERTDIR /etc/openldap/cacerts
> > 
> > 
> > > If you are witnessing long dealys on login then you are hitting the
> > > initgroups problem we are going to fix shortly.
> > >
> > 
> > I believe the long delays were caused by enumeration.  There are no
> > such delays with enumeration disabled.
> 
> yes, it is expected that enumeration is quite heavy, as it has to query
> all users and groups and cache that information. That's why we disable
> it by default.
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to