>'memberOf' is the reverse of 'member', not of 'memberuid'. AD doesn't > create the 'memberOf' backlink for entries specified by 'memberuid' > (because 'memberuid' members are also not required to be in the central > server; they can be local accounts or accounts provided by a different > directory like NIS) Ok, understood.
> I'm not sure what the relevance is to that statement. If you're using > 'ldap_schema = rfc2307', then it should be adding all members that > appear as 'memberuid' in the group. > > I guess I don't understand what your question is here. It looks like > things are behaving as expected. Well, the group aapp has 6 memberUid, but only three of them is added by sssd, how is that correct ? Or what am I missing ? Here are the users according to ldapsearch, dn: CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx memberUid: a001721 memberUid: a000569 memberUid: a000680 memberUid: a001406 memberUid: a000898 memberUid: a000590 Here are the users beeing added by sssd, a001721 a001406 a000898 And that is with ldap_schema = rfc2307 in the config. /Patrik Martinsson On Fri, 2010-12-10 at 12:20 -0500, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/10/2010 10:56 AM, Patrik Martinsson wrote: > > Ok, Cool. > > > > So, I stopped sssd, removed the cachefile for my domain, started it with > > logging to file. > > Since I'm not comfortable with exposing our whole ad to the internet I > > pasted a snippet out of the logfile, please tell me if you need anything > > more. > > > > But the behavior is the same, here is an example, > > I have a group called aapp, > > > > ldapsearch 'ou=Groups,dc=xx,dc=xx,dc=xx' "(&(objectclass=*)(cn=aapp))" > > returns, > > > > ------ > > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx > > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx > > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx > > memberUid: xxxx > > memberUid: xxxx > > memberUid: xxxx > > memberUid: xxxx > > memberUid: xxxx > > memberUid: a000590 > > ------ > > > > ldapsearch 'ou=People,dc=xx,dc=xx,dc=xx' > > "(&(objectclass=*)(cn=a000590))" | grep -i memberof returns a list of > > groups, however _not_ aapp. > > > > So, the "groupobject" lists a000590 as a memberUid, but the "userobject" > > dosn't list aapp as a memberOf. First of all, is that right ? > > > > 'memberOf' is the reverse of 'member', not of 'memberuid'. AD doesn't > create the 'memberOf' backlink for entries specified by 'memberuid' > (because 'memberuid' members are also not required to be in the central > server; they can be local accounts or accounts provided by a different > directory like NIS) > > > > > Here's sssd log snippets, (tell me if you need anything else). > > > > (Fri Dec 10 16:38:12 2010) [sssd[be[xx]]] [sdap_parse_entry] (9): > > OriginalDN: [CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx]. > > (Fri Dec 10 16:38:12 2010) [sssd[be[xx]]] [sdap_process_result] (8): > > Trace: sh[0xae77a0], connected[1], ops[0xae80f0], ldap[0xae79c0] > > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_group_send] (7): > > Adding original DN [CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx] to attributes > > of [aapp]. > > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_group_send] (6): > > Storing info for group aapp > > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sysdb_search_entry_done] (6): > > Error: Entry not Found! > > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sysdb_search_entry_done] (6): > > Error: Entry not Found! > > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_groups_loop] (9): > > Group 592 processed! > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_save_grpmem_send] (7): > > Adding member users to group [aapp] > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships] (9): > > [IPA or AD Schema] > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships] > > (7): member #0 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se): > > [name=xx,cn=users,cn=xx,cn=sysdb] > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships] > > (7): member #1 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se): > > [name=xx,cn=users,cn=xx,cn=sysdb] > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships] > > (7): member #2 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se): > > [name=xx,cn=users,cn=xx,cn=sysdb] > > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_save_grpmem_send] (6): > > Storing members for group aapp > > > > The users beeing added to the group aapp here in the log have both > > 'member' and 'memberUid' attributes, does that makes sence ? > > > > I'm not sure what the relevance is to that statement. If you're using > 'ldap_schema = rfc2307', then it should be adding all members that > appear as 'memberuid' in the group. > > I guess I don't understand what your question is here. It looks like > things are behaving as expected. > > - -- > Stephen Gallagher > RHCE 804006346421761 > > Delivering value year after year. > Red Hat ranks #1 in value among software vendors. > http://www.redhat.com/promo/vendor/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0CYUYACgkQeiVVYja6o6Ov2wCfVRkI07wxdIu7puLxAXkse5RP > b4oAnRaOFSPSdXh+WBzHNdDn+Ws+aecx > =7Dz5 > -----END PGP SIGNATURE-----
_______________________________________________ sssd-devel mailing list [email protected] https://fedorahosted.org/mailman/listinfo/sssd-devel
