Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-22 Thread Jakub Hrozek
On Fri, Jul 22, 2016 at 03:04:01PM +0100, Peter Pakos wrote: > Jakub Hrozek wrote: > > > I'm glad it works now, but why did you choose to use the LDAP back end > > over the IPA back end? By using LDAP, you gain the ability to not enroll > > clients with ipa-client-install, but you loose the ease

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-22 Thread Peter Pakos
Jakub Hrozek wrote: > I'm glad it works now, but why did you choose to use the LDAP back end > over the IPA back end? By using LDAP, you gain the ability to not enroll > clients with ipa-client-install, but you loose the ease of > manageability, HBAC, easy SUDO integration, not to mention you

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-17 Thread Peter Pakos
On 17 July 2016 at 09:03, Alexander Bokovoy wrote: > Your sssd configuration does not mention what DN is used to bind to the > LDAP server to retrieve the data. This means you are using anonymous > bind. Since FreeIPA 4.0 there is a number of attributes that are not >

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-17 Thread Alexander Bokovoy
On Sun, 17 Jul 2016, Sullivan, Daniel [AAA] wrote: Have you tried different settings for ldap_schema (should be easy to test)? http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: Hi, I'm about to move our FreeIPA

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-17 Thread Peter Pakos
On 17 July 2016 at 09:03, Alexander Bokovoy wrote: > > Your sssd configuration does not mention what DN is used to bind to the > LDAP server to retrieve the data. This means you are using anonymous > bind. Since FreeIPA 4.0 there is a number of attributes that are not >

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-17 Thread Peter Pakos
On 17 July 2016 at 03:48, Sullivan, Daniel [AAA] < dsulliv...@bsd.uchicago.edu> wrote: > > Out of curousity is there any reason you are not using the IPA provider > instead of LDAP (in SSSD)? > We initially want to switch hundreds of servers via Puppet change. At a later stage we'll look at

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-17 Thread Peter Pakos
I did try setting ldap_schema to rfc2307 (I think this is the default setting) rfc2307bis and ipa, but it didn't make any difference. I also tried setting ldap_group_member = member ldap_user_member_of = memberOf but again, it made no difference. On 17 July 2016 at 03:38, Sullivan, Daniel

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-16 Thread Sullivan, Daniel [AAA]
Also, you also might be able to tweak ldap_user_member_of, if you login to a DC and kinit to an IPA user and then ldap query, you should be able to get the LDIF record for a user, i.e. 1) kinit s.cri.ipa-idprovisio...@ipa.cri.uchicago.edu 2)

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-16 Thread Sullivan, Daniel [AAA]
Have you tried different settings for ldap_schema (should be easy to test)? http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just

[Freeipa-users] SSSD with LDAP not showing secondary groups

2016-07-16 Thread Peter Pakos
Hi, I'm about to move our FreeIPA platform into production on Monday but I've just noticed a worrying issue with sssd - getent group is not showing group members and id is not showing secondary groups. Currently all our servers are configured with sssd using our old LDAP (389-ds) as a backend.