Hello,

I was wondering - I have searched around and seen a few questions and solutions, but nothing I try is fixing my environment.


Things have been working quite well with IPA 4.0.5, simple things with auth and logins - some with full ipa-client-install configured, others just using LDAP and that is where the strangeness comes from.

with full IPA client integration, secondary groups work just find, as do base commands like "id" and "getent". However, the "ldap" users, never show the secondary group for their uid?

Any pointers you might suggest? I have tried the sssd.conf of "ldap_group_member = uniqeMember" - no change.

a simple secondary group is defined:

dn: cn=web_users,cn=groups,cn=accounts,dc=example,dc=com
cn: web_users
objectClass: ipaobject
objectClass: extensibleobject
objectClass: top
objectClass: ipausergroup
objectClass: posixgroup
objectClass: groupofnames
objectClass: nestedgroup
memberUid: user1
memberUid: user2
memberUid: user3
memberUid: user4
memberUid: user5
member: uid=user1,cn=users,cn=accounts,dc=example,dc=com
member: uid=user2,cn=users,cn=accounts,dc=example,dc=com
member: uid=user3,cn=users,cn=accounts,dc=example,dc=com
member: uid=user4,cn=users,cn=accounts,dc=example,dc=com
member: uid=user5,cn=users,cn=accounts,dc=example,dc=com

and yet with debug_level = 7 -- sssd still says: [sdap_process_ghost_members] (0x0400): Group has 0 members
and "id" or "getent" of any of user1..5 just returns the primary GID.

Any ideas? Tips? What else might you want to see?

~J

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to