On Fri, Feb 22, 2013 at 05:39:01PM -0500, Zachary Hanson-Hart wrote: > I have an LDAP server that is configured to serve up groups, and only > groups, using the rfc2307 schema. I have available to me a separate ldap > authentication server. I want sssd to get identity information from both
sssd can follow referrals. Is it possible to add a referral on the LDAP authentication server which points to the LDAP group server? HTH bye, Sumit > sources. It is not possible to just put the groups into the existing > server, as "they" will not grant me write access nor will they agree to > manage the groups. > > sssd.conf is set up with two domains. The first (ldapr) is both auth and > id provider. The second (groupldap) is simply an id provider (with > auth_provider=none). > > The problem is that initgroups() only seems to be running for the first > domain. > > In the first domain, gidNumber = uidNumber but there is no group with this > gidNumber. > > The groupldap DOES have a group with this gidNumber. It is successfully > obtained with the nss_cmd_getgrgid_search call before the initgroups call > finishes for USERNAME@ldapr. > > The information flow is basically: > Issue initgroups for ALL > begin initgroups for ldapr > get missing information from groupldap > complete initgroups for ldapr > > Here, it seems to me that it should continue with an initgroups for > groupldap. It does not. > > There are other groups on groupldap that have memberUid=USERNAME. There is > never any search for groups with memberUid=USERNAME coming from the server > (in the logs on the ldap server, or in the sssd logs), and initgroups is > never called on the second domain (groupldap). > > To make things more confusing, if I: > getent -s sss group SOMEGROUP > I get: > SOMEGROUP:*:12345:USERNAME:otheruser:... > > where SOMEGROUP is a posixGroup on groupldap. > > So, it CAN get the group information from the groupldap domain, but it > doesn't. > > Is this a bug, or the expected behavior? If this is expected, how do you > get it to search both? > > Any help would be greatly appreciated. > > -Zach > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
