Hi,
I have a FreeIPA 4.10 installation with a Squid proxy server using the ext_kerberos_ldap_group_acl helper for authorizations. At some point the helper stopped working correctly. The problem is that ext_kerberos_ldap_group_acl uses the memberuid attribute, which is only available in the "cn=groups,cn=compat,dc=labeconomia,dc=unich,dc=it" subtree. Unfortunately, it seems that traversing the compat subtree is only possible when specifying a search base.
For example, the command
ldapsearch -H <host> "(uid=studente)"
returns the user "uid=studente,cn=users,cn=accounts,dc=labeconomia,dc=unich,dc=it"
If I want to get the corresponding user in the compat subtree, I need to specify a search base as in
ldapsearch -H <host> -b "cn=compat,dc=labeconomia,dc=unich,dc=it" "(uid=studente)"
which correctly returns "uid=studente,cn=users,cn=compat,dc=labeconomia,dc=unich,dc=it"
Now I wonder: is this the correct behavior ? And if this is correct, why did ext_kerberos_ldap_group_acl use to work in the past ?
Thanks for any help.