On Tue, 23 Sep 2014, Loris Santamaria wrote:
Querying for group membership in the compat tree within a trust
environment seems to be rather flaky:

     * userA and userB are members of admins@ad. admins@ad is member of
       internet_access@ad
     * internet_access@ad is member of internet_access_external@ad
     * internet_access_external@ad is member of internet_access@ad
     * I restart ipa and clear sssd cache on the master to start with a
       clean compat tree
     * searching for (&(objectClass=posixGroup)(memberUid=userA@ad))
       returns that he is a member of internet_access@ipa (expected
       result)
     * searching for (&(objectClass=posixGroup)(memberUid=userB@ad))
       doesn't return him as a member of internet_access@ipa
       (unexpected)
slapi-nis doesn't fully support the latter case yet, it is known issue,
though in the https://fedorahosted.org/freeipa/ticket/4403 it is
manifested a bit differently.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to