All, This for anyone using AIX clients with freeipa. I have the client up and running just fine (No KRB5, AIX Bug); however I cannot seem to get the client to load the groups attributes properly. The users primary group shows up in the groups attribute from lsuser but not any subsequent groups the user is a member of in IPA. In the outputs below, I do a lookup for IPA user 0016751and I would expect the groups= attirbute to match those that are listed in the "Member of Groups" from freeipa. I experiemented with the groups attribute and mapping to the memberOf ldap attribute in the IPAuser.map file but that hasn't changed the outcome. If anyone has any pointers or advice it would ge greatly appreciated! AIX Client: 6100-09-04-1441 LDAP Client version: idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit idsldap.clt_max_crypto32bit61.rte idsldap.cltbase61.adt 6.1.0.57 COMMITTED Directory Server - Base Client idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client idsldap.ent61.rte 6.1.0.26 COMMITTED Directory Server - Entitlement idsldap.clt32bit61.rte 6.1.0.57 COMMITTED Directory Server - 32 bit idsldap.cltbase61.rte 6.1.0.57 COMMITTED Directory Server - Base Client IDM Server: RHEL 6.6 x64 ipa-server-3.0.0-42 AIX Client LDAP Config: ldapservers:idm1-corp-p1.idm.abc.com,idm2-corp-p1.idm.abc.com binddn:uid=0016751,cn=users,cn=accounts,dc=idm,dc=abc,dc=com bindpwd:password authtype:ldap_auth userattrmappath:/etc/security/ldap/IPAuser.map groupattrmappath:/etc/security/ldap/IPAgroup.map userbasedn:cn=users,cn=accounts,dc=idm,dc=abc,dc=com groupbasedn:cn=groups,cn=accounts,dc=idm,dc=abc,dc=com #IPAuser.map file keyobjectclass SEC_CHAR posixaccount s na username SEC_CHAR uid s na id SEC_INT idnumber s na pgrp SEC_CHAR gidnumber s na #groups SEC_LIST memberOf m na home SEC_CHAR homedirectory s na shell SEC_CHAR loginshell s na gecos SEC_CHAR gecos s na spassword SEC_CHAR userpassword s na lastupdate SEC_INT shadowlastchange s days #IPAgroup.map file groupname SEC_CHAR cn s na id SEC_INT gidNumber s na users SEC_LIST member m na LDAP User lookup root@aix:/home/root > lsuser -f -R LDAP 0016751 0016751: id=1329001106 pgrp=0016751 groups=0016751 home=/home/0016751 shell=/bin/bash gecos=David Beck login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=77 registry=LDAP SYSTEM=compat or LDAP logintimes= loginretries=3 pwdwarntime=14 account_locked=false LDAP Group lookup root@aix:/home/root > lsgroup -R LDAP aix-admins aix-admins id=1329004961users=0016066,0016751,0002885,0016896,0016304,0014269,0015513,0015611,0016721registry=LDAP User Group lookup root@aix:/home/root > groups 0016751 0016751 : 0016751 From the IDM server: [root@idm1-corp-p1 ~]# ipa user-show 0016751 User login: 0016751 First name: David Last name: Beck Home directory: /home/0016751 Login shell: /bin/bash Email address: david.b...@abc.com UID: 1329001106 GID: 1329001106 Telephone Number: 555-555-5555 Job Title: Account disabled: False Password: True Member of groups: unixss, linux-admins, aix-admins, smb-linfs-linadm, tam-admins Roles: IPA Administration Member of Sudo rule: nmap-intaudit Member of HBAC rule: aix-sshd-test Indirect Member of group: smb-linfs Indirect Member of Sudo rule: serverAdmin Indirect Member of HBAC rule: ssh_all, cvs_access Kerberos keys available: True
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project