Re: Group values not returned with "id" command

Thu, 05 Sep 2013 11:36:13 -0700 

On Thu, Sep 5, 2013 at 1:36 PM, Howard Chu <[email protected]> wrote:

> Justin Edmands wrote:
>
>> Hey,
>> Certainly new to migrations of LDAP. I migrated our old setup from
>> OpenLDAP to
>> 389 Directory Server. When using the "id" command on an LDAP client, it
>> only
>> returns uid,gid, and one group. It for some reason does not show all of
>> the
>> actual groups that the user is associated with. What is set to return
>> these
>> values and what setting ensures they are properly mapped from OpenLDAP to
>> 389DS?
>>
>> ### OpenLDAP example: ###
>>
>> [root openldapclient ~]# id jedmands
>> uid=9999(jedmands) gid=100(users)
>> groups=100(users),5000(**manager),5001(linuxadmin),**
>> 5002(storageadmin),5003(**dbadmin),5004(webadmin),5006(**it)
>>
>> ### 389 DS Example: ###
>>
>> [root 389dsclient ~]# id jedmands
>> uid=9999(jedmands) gid=100(users) groups=100(users)
>>
>> Notes:
>> Posted this to the 389-users list, nothing received.
>> We are using the memberOf plugin for 389DS.
>> I don't know too much about the openldap environment. I moved to CentOS 6
>> and
>> figured DS was the way to go with SSL/TLS
>>
>
> I'm pretty sure you figured wrong. OpenLDAP actually works, implements the
> LDAP RFCs correctly, and outperforms all other LDAP servers. Compared to
> 389DS, OpenLDAP bulk-loads data 2x faster, uses 10% less space on disk,
> answers search queries 4x faster, and uses 50% less RAM to do it. (Also
> answers Binds 6x faster, and performs updates 11x faster.) 389DS is a
> hulking pile of obsolete code; the only reason it still exists today is
> because RedHat has support contracts for RedHatDS from customers too
> ignorant to realize how bad the product they've paid for actually is.
>
> --
>   -- Howard Chu
>   CTO, Symas Corp.           http://www.symas.com
>   Director, Highland Sun     http://highlandsun.com/hyc/
>   Chief Architect, OpenLDAP  
> http://www.openldap.org/**project/<http://www.openldap.org/project/>
>

Thank god you got that off of your chest. the solution is:

/etc/sssd/sssd.conf
     [domain/default]
     ..
     ldap_group_member = memberUid
     ldap_group_search_base = ou=Group,dc=mysite,dc=com
     ..

after flushing cache, the clients see the proper groups.

https://bugzilla.redhat.com/show_bug.cgi?id=599713

Reply via email to