On 17 July 2016 at 09:03, Alexander Bokovoy <aboko...@redhat.com> wrote:
> Your sssd configuration does not mention what DN is used to bind to the > LDAP server to retrieve the data. This means you are using anonymous > bind. Since FreeIPA 4.0 there is a number of attributes that are not > available to anonymous binds, including 'member' and 'memberof'. Thus, > SSSD does not see membership information when using anonymous binds. > > In normally enrolled IPA clients host/ipa.client@IPA.REALM Kerberos > principal is used to bind to LDAP with GSSAPI when SSSD talks to LDAP > server, thus all binds are authenticated and 'member'/'memberof' > attributes are accessible. > > So you either need to enroll machines to IPA and switch your sssd.conf > to use 'ipa' providers instead of ldap, or define a system account that > can be used to bind to LDAP by your sssd clients. In short term > perspective that would probably be an easier fix. For the latter see > sssd-ldap(5), ldap_default_bind_dn, ldap_default_authtok options. Bingo! Adding the following lines to /etc/sssd/sssd.conf has fixed the issue for us: ldap_schema = rfc2307bis ldap_default_bind_dn = *dn* ldap_default_authtok = *password* Many thanks! -- Kind regards, Peter Pakos
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project