On 17 July 2016 at 09:03, Alexander Bokovoy <aboko...@redhat.com> wrote:
> Your sssd configuration does not mention what DN is used to bind to the
> LDAP server to retrieve the data. This means you are using anonymous
> bind. Since FreeIPA 4.0 there is a number of attributes that are not
> available to anonymous binds, including 'member' and 'memberof'. Thus,
> SSSD does not see membership information when using anonymous binds.
> In normally enrolled IPA clients host/ipa.client@IPA.REALM Kerberos
> principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP
> server, thus all binds are authenticated and 'member'/'memberof'
> attributes are accessible.
> So you either need to enroll machines to IPA and switch your sssd.conf
> to use 'ipa' providers instead of ldap, or define a system account that
> can be used to bind to LDAP by your sssd clients. In short term
> perspective that would probably be an easier fix. For the latter see
> sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options.
Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for
ldap_schema = rfc2307bis
ldap_default_bind_dn = *dn*
ldap_default_authtok = *password*
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project