On Thu, Dec 07, 2017 at 07:46:11AM -0000, Иван Мастренко wrote: > Hello! > I Have the problem with Getting groups list for user in ldap: > [sssd[be[DOMAIN_GROUP2]]] [sdap_initgr_rfc2307bis_next_base] (0x0400): > Searching for parent groups for user > [uid=hwadmin_sssd,ou=users,dc=my,dc=domain] with base > [ou=groups,dc=my,dc=domain] > [sssd[be[DOMAIN_GROUP2]]] [sdap_get_generic_ext_step] (0x0400): calling > ldap_search_ext with > [(&(memberUid=uid=hwadmin_sssd,ou=users,dc=my,dc=domain)(objectClass=posixGroup)(cn=*))][ou=groups,dc=my,dc=domain]. > > As seen above SSSD try to search groups with filter where memberUid = > <fullDN>, but this is not correct. It should search for: > (&(memberUid=hwadmin_sssd)(objectClass=posixGroup)(cn=*)) > > My config is: > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = ,DOMAIN_GROUP2 > override_homedir = /home/%u > > [domain/default] > debug_level = 7 > > [domain/DOMAIN_GROUP2] > autofs_provider = ldap > cache_credentials = False > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > ldap_uri = ldap://172.20.47.115:389 > ldap_schema = rfc2307bis
Please try 'ldap_schema = rfc2307' rfc2307bis uses DNs to identify mebers while plain rfc2307 uses just names. HTH bye, Sumit > ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain > ldap_default_authtok = password > ldap_group_member = memberUid > #ldap_use_tokengroups = false > > # TLS/SSL > ldap_tls_reqcert = never > ldap_id_use_start_tls = False > ldap_tls_cacertdir = /etc/openldap/cacerts > > # SEARCH BASE > ldap_search_base = dc=my,dc=domain > ldap_user_search_base = ou=users,dc=my,dc=domain > ldap_group_search_base = ou=groups,dc=my,dc=domain > #ldap_group_object_class = groupOfNames > # FILTER > access_provider = ldap > ldap_access_filter = (memberOf=cn=HWS_ADMINS,ou=groups,dc=my,dc=domain) > > override_gid = 1001 > override_shell = /bin/bash > skel_dir=/etc/skel_ptk/ > > debug_level = 7 > > [nss] > homedir_substring = /home > debug_level = 7 > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
