On 02/15/2013 04:01 PM, Orion Poplawski wrote:
> On 02/15/2013 01:42 PM, John Dennis wrote:
>> On 02/15/2013 02:23 PM, Orion Poplawski wrote:
>>> On 02/15/2013 12:01 PM, Orion Poplawski wrote:
>>>> I've been trying to track down any bugs I may have filed without
>>>> success, but
>>>> I'm pretty sure I tried at first adding a system user to LDAP groups
>>>> and that
>>>> not working unless the system user was in LDAP.  This may have been
>>>> before I
>>>> started using SSSD on the servers so I'll need to retest this.
>>> This still appears to be the case.  As soon as I removed the system
>>> user from
>>> our current ldap database, id now longer reported any other group
>>> memberships.
>>>    This is with the default using "memberUid" for group membership. 
>>> With the
>>> IPA schema of recording group membership with the full dn, it seems
>>> the user
>>> would have to be in the database to have a dn.
>> Yes you're right, the user has to exist in LDAP in order to be a
>> member of a
>> group managed in LDAP.
>> Your other alternative is not put these system users in LDAP and
>> instead use
>> local users & groups managed via some other mechanism (puppet?).
> I've been testing with puppet, but that doesn't work.  It detects the
> groups presence in ldap, so doesn't add them to /etc/group, then when it
> goes to add apache to the various groups, that fails.  Possibly could
> missing functionality in puppet, but not a solution at the moment.

sssd.conf has some filter directives that will prevent sssd from looking
up the specified users/groups.  That should prevent puppet from
detecting the LDAP group.

*question everything*learn something*answer nothing*
Lucas Yamanishi
Systems Administrator, ADNET Systems, Inc.
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A

Freeipa-users mailing list

Reply via email to