Re: [SSSD] Group results.

>'memberOf' is the reverse of 'member', not of 'memberuid'. AD doesn't
> create the 'memberOf' backlink for entries specified by 'memberuid'
> (because 'memberuid' members are also not required to be in the
central
> server; they can be local accounts or accounts provided by a different
> directory like NIS)
Ok, understood.

> I'm not sure what the relevance is to that statement. If you're using
> 'ldap_schema = rfc2307', then it should be adding all members that
> appear as 'memberuid' in the group.
>
> I guess I don't understand what your question is here. It looks like
> things are behaving as expected.
Well, the group aapp has 6 memberUid, but only three of them is added by
sssd, how is that correct ? Or what am I missing ?

Here are the users according to ldapsearch,
dn: CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx
memberUid: a001721
memberUid: a000569
memberUid: a000680
memberUid: a001406
memberUid: a000898
memberUid: a000590

Here are the users beeing added by sssd,
a001721
a001406
a000898

And that is with ldap_schema = rfc2307 in the config.

/Patrik Martinsson

On Fri, 2010-12-10 at 12:20 -0500, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/10/2010 10:56 AM, Patrik Martinsson wrote:
> > Ok, Cool.
> >
> > So, I stopped sssd, removed the cachefile for my domain, started it with
> > logging to file.
> > Since I'm not comfortable with exposing our whole ad to the internet I
> > pasted a snippet out of the logfile, please tell me if you need anything
> > more.
> >
> > But the behavior is the same, here is an example,
> > I have a group called aapp,
> >
> > ldapsearch 'ou=Groups,dc=xx,dc=xx,dc=xx' "(&(objectclass=*)(cn=aapp))"
> > returns,
> >
> > ------
> > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx
> > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx
> > member: CN=xxxx,OU=People,DC=xx,DC=xx,DC=xx
> > memberUid: xxxx
> > memberUid: xxxx
> > memberUid: xxxx
> > memberUid: xxxx
> > memberUid: xxxx
> > memberUid: a000590
> > ------
> >
> > ldapsearch 'ou=People,dc=xx,dc=xx,dc=xx'
> > "(&(objectclass=*)(cn=a000590))" | grep -i memberof returns a list of
> > groups, however _not_ aapp.
> >
> > So, the "groupobject" lists a000590 as a memberUid, but the "userobject"
> > dosn't list aapp as a memberOf. First of all, is that right ?
> >
>
> 'memberOf' is the reverse of 'member', not of 'memberuid'. AD doesn't
> create the 'memberOf' backlink for entries specified by 'memberuid'
> (because 'memberuid' members are also not required to be in the central
> server; they can be local accounts or accounts provided by a different
> directory like NIS)
>
>
>
> > Here's sssd log snippets, (tell me if you need anything else).
> >
> > (Fri Dec 10 16:38:12 2010) [sssd[be[xx]]] [sdap_parse_entry] (9):
> > OriginalDN: [CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx].
> > (Fri Dec 10 16:38:12 2010) [sssd[be[xx]]] [sdap_process_result] (8):
> > Trace: sh[0xae77a0], connected[1], ops[0xae80f0], ldap[0xae79c0]
> > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_group_send] (7):
> > Adding original DN [CN=aapp,OU=Groups,DC=xx,DC=xx,DC=xx] to attributes
> > of [aapp].
> > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_group_send] (6):
> > Storing info for group aapp
> > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sysdb_search_entry_done] (6):
> > Error: Entry not Found!
> > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sysdb_search_entry_done] (6):
> > Error: Entry not Found!
> > (Fri Dec 10 16:38:22 2010) [sssd[be[xx]]] [sdap_save_groups_loop] (9):
> > Group 592 processed!
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_save_grpmem_send] (7):
> > Adding member users to group [aapp]
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships] (9):
> > [IPA or AD Schema]
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships]
> > (7):     member #0 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se):
> > [name=xx,cn=users,cn=xx,cn=sysdb]
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships]
> > (7):     member #1 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se):
> > [name=xx,cn=users,cn=xx,cn=sysdb]
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_fill_memberships]
> > (7):     member #2 (CN=xx,OU=People,DC=ad,DC=smhi,DC=se):
> > [name=xx,cn=users,cn=xx,cn=sysdb]
> > (Fri Dec 10 16:39:05 2010) [sssd[be[xx]]] [sdap_save_grpmem_send] (6):
> > Storing members for group aapp
> >
> > The users beeing added to the group aapp here in the log have both
> > 'member' and 'memberUid' attributes, does that makes sence ?
> >
>
> I'm not sure what the relevance is to that statement. If you're using
> 'ldap_schema = rfc2307', then it should be adding all members that
> appear as 'memberuid' in the group.
>
> I guess I don't understand what your question is here. It looks like
> things are behaving as expected.
>
> - --
> Stephen Gallagher
> RHCE 804006346421761
>
> Delivering value year after year.
> Red Hat ranks #1 in value among software vendors.
> http://www.redhat.com/promo/vendor/
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0CYUYACgkQeiVVYja6o6Ov2wCfVRkI07wxdIu7puLxAXkse5RP
> b4oAnRaOFSPSdXh+WBzHNdDn+Ws+aecx
> =7Dz5
> -----END PGP SIGNATURE-----