On 02/15/2013 01:42 PM, John Dennis wrote:
On 02/15/2013 02:23 PM, Orion Poplawski wrote:
On 02/15/2013 12:01 PM, Orion Poplawski wrote:

I've been trying to track down any bugs I may have filed without success, but
I'm pretty sure I tried at first adding a system user to LDAP groups and that
not working unless the system user was in LDAP.  This may have been before I
started using SSSD on the servers so I'll need to retest this.

This still appears to be the case.  As soon as I removed the system user from
our current ldap database, id now longer reported any other group memberships.
   This is with the default using "memberUid" for group membership.  With the
IPA schema of recording group membership with the full dn, it seems the user
would have to be in the database to have a dn.

Yes you're right, the user has to exist in LDAP in order to be a member of a
group managed in LDAP.

Your other alternative is not put these system users in LDAP and instead use
local users & groups managed via some other mechanism (puppet?).

I've been testing with puppet, but that doesn't work. It detects the groups presence in ldap, so doesn't add them to /etc/group, then when it goes to add apache to the various groups, that fails. Possibly could missing functionality in puppet, but not a solution at the moment.

Orion Poplawski
Technical Manager                     303-415-9701 x222
NWRA, Boulder Office                  FAX: 303-415-9702
3380 Mitchell Lane                       or...@nwra.com
Boulder, CO 80301                   http://www.nwra.com

Freeipa-users mailing list

Reply via email to