I'm about to move our FreeIPA platform into production on Monday but I've
just noticed a worrying issue with sssd - getent group is not showing group
members and id is not showing secondary groups.

Currently all our servers are configured with sssd using our old LDAP
(389-ds) as a backend. It works great, id shows all my secondary groups:

# id peter.pakos
uid=1396(peter.pakos) gid=511(Engineering)

After re-configuring sssd to use FreeIPA's LDAP directory, id is only
showing primary group, the secondary groups are missing:

# id peter.pakos
uid=1396(peter.pakos) gid=511(engineering) groups=511(engineering)

Similarly, getent is not showing group members:

# getent group engineering


# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
# ipa --version
VERSION: 4.2.0, API_VERSION: 2.156

This is an example sssd.conf file I'm using in my tests:

ldap_tls_reqcert = demand
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_group_search_base = cn=groups,cn=accounts,dc=ipa,dc=wandisco,dc=com
ldap_user_search_base = cn=users,cn=accounts,dc=ipa,dc=wandisco,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldaps://shdc01.ipa.wandisco.com,
ldaps://shdc02.ipa.wandisco.com, ldaps://ashb01.ipa.wandisco.com,
ldaps://ashb02.ipa.wandisco.com, ldaps://frem01.ipa.wandisco.com
ldap_tls_cacert = /etc/ipa/ca.crt

services = nss, pam
config_file_version = 2
domains = ipa.wandisco.com






Am I missing anything in the sssd configuration?

Any advice would be greatly appreciated.

Kind regards,
 Peter Pakos
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to