-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/10/2010 06:32 AM, Patrik Martinsson wrote: > Hello, > > I've almost managed to get sssd to work as I want, however I have this > problems with groupmembers. > > If I do an ldapsearch on a group I get this result, > > --------- > member: CN=x1,OU=People,DC=x,DC=x,DC=x > member: CN=x2,OU=People2,OU=People,DC=x,DC=x,DC=x > member: CN=x3,OU=People,DC=x,DC=x,DC=x > member: CN=x4,OU=People,DC=x,DC=x,DC=x > member: CN=x5,OU=People,DC=x,DC=x,DC=x > > memberUid: x1 > memberUid: x2 > memberUid: x5 > memberUid: x7 > memberUid: x8 > memberUid: x9 > --------- > > A college told me that the difference (between members in 'member' and > 'memberUid') is because 'member' is the attribute set up for windows > accounts, and 'memberUid' is for the unixaccounts, and although these > often should be synced it could be some cases where its not (in our > setup anyway). > > So what I want is getting sssd to map groupmembers to the memberUid. > > Here's a snippet from my sssd.conf > > --------- > ldap_user_object_class = User > ldap_user_name = sAMAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_shell = loginShell > ldap_user_gecos = mail > ldap_user_principal = userPrincipalName > ldap_user_member_of = memberOf > ldap_user_home_directory = msSFUHomeDirectory > > ldap_group_object_class = Group > ldap_group_name = cn > ldap_group_gid_number = gidNumber > ldap_group_member = memberuid > # ldap_group_member = member > # ldap_group_member = memberUid > # ldap_group_uuid = memberUid
UUID != UID. Don't assign these to the same attribute. > --------- > > I've tried different setups here but I cant really seem to figure it > out. If I run with the above settings i get no groups for users, and the > following is printed in sssd debug, > --------- > [sysdb_search_entry_done] (6) Error : Entry not found! > [sdap_fill_memberships] (7) member #60 (x): not found! > --------- > > If I use the member instead of memberuid/Uid the users are mapped to > groups from the 'member' attribute, which seems logical, however that's > not what I want, as I said before, I want to map usergroups against the > memberUid. > When using ldap_schema = rfc2307 which is the default if it's unspecified, the default for ldap_group_member = memberUid This is because RFC 2307 requires that members be a list of group names. If you use ldap_schema = rfc2307bis, this changes group membership lookups to use the DN format and the 'member' attribute, because RFC 2307bis (the standard ActiveDirectory normally uses) requires that members be specified as DN entries in the LDAP server. The only differences between the RFC 2307 and RFC2307bis format is whether groups are looked up by 'memberuid' or 'member' attributes, respectively. So if you want to use 'memberuid', just set 'ldap_schema = rfc2307' See also https://fedorahosted.org/sssd/ticket/445 for our future plans to support a hybrid mode that can read both attributes. - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0CFSYACgkQeiVVYja6o6NVkQCgkX7dnPre9xQm5CTFWO5kbi0P 2qsAoJirCpSXuaOycNNB8Q/trx1F90Sc =FJas -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
