On Thu, Jun 07, 2012 at 05:34:58PM -0400, Ian Levesque wrote: > # ldapsearch -LLL -x -h sbgrid-directory -b cn=compat,dc=sbgrid,dc=org > No such object (32) > Matched DN: dc=sbgrid,dc=org
This result suggests that the plugin isn't running. Can you double-check by searching (as either the directory administrator or the IPA administrator) to verify that the plugin is enabled and configured to serve up group information? The search looks like: kinit admin ldapsearch -h sbgrid-directory -Y GSSAPI \ -b "cn=Schema Compatibility,cn=plugins,cn=config" \ nsslapd-pluginEnabled The results should look like this: dn: cn=Schema Compatibility,cn=plugins,cn=config nsslapd-pluginEnabled: off dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=ng,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config dn: cn=users,cn=Schema Compatibility,cn=plugins,cn=config If you drill down and read the whole cn=groups configuration entry, it should look like this: dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config schema-compat-entry-attribute: objectclass=posixGroup schema-compat-entry-attribute: gidNumber=%{gidNumber} schema-compat-entry-attribute: memberUid=%{memberUid} schema-compat-entry-attribute: memberUid=%deref_r("member","uid") cn: groups objectClass: top objectClass: extensibleObject schema-compat-search-filter: objectclass=posixGroup schema-compat-container-rdn: cn=groups schema-compat-entry-rdn: cn=%{cn} schema-compat-search-base: cn=groups, cn=accounts, dc=sbgrid,dc=org schema-compat-container-group: cn=compat, dc=sbgrid,dc=org HTH, Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users