On 02/15/2013 01:42 PM, John Dennis wrote:
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
On 02/15/2013 12:01 PM, Orion Poplawski wrote:
I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP. This may have been before I
started using SSSD on the servers so I'll need to retest this.
This still appears to be the case. As soon as I removed the system user from
our current ldap database, id now longer reported any other group memberships.
This is with the default using "memberUid" for group membership. With the
IPA schema of recording group membership with the full dn, it seems the user
would have to be in the database to have a dn.
Yes you're right, the user has to exist in LDAP in order to be a member of a
group managed in LDAP.
Your other alternative is not put these system users in LDAP and instead use
local users & groups managed via some other mechanism (puppet?).
I've been testing with puppet, but that doesn't work. It detects the groups
presence in ldap, so doesn't add them to /etc/group, then when it goes to add
apache to the various groups, that fails. Possibly could missing
functionality in puppet, but not a solution at the moment.
Technical Manager 303-415-9701 x222
NWRA, Boulder Office FAX: 303-415-9702
3380 Mitchell Lane or...@nwra.com
Boulder, CO 80301 http://www.nwra.com
Freeipa-users mailing list