Hey again,
Thanks for answering so quick!
Ok. So I asked our Windowsdepartment what kind of RFC we are using today
and got the answer "Don't know if we satisfy any RFC today, the base is
AD4Unix.". I don't really know what to make of that, however I do know
that i want sssd to base groupmembership on memberUid, and therefore i
should use "ldap_schema = rfc2307". So that's what I did and here is the
what i got.
I do an ldapsearch on a fubar-group and i see that
memberuid: foo
I do a getent group fubar and i get a list of users in that group,
however not the user foo.
So why is it that foo user is shown in the ldapsearch but not in sssd ?
Actually the only users sssd is showing is the ones having 'member'
attributes, not the memberUid users.
Is it being cached in some way ? I do restart sssd after each
configuration change.
How can i debug this more ? I would really like to get this working.
Thanks in advance,
Patrik Martinsson, Sweden.
On 12/10/2010 12:55 PM, Stephen Gallagher wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/10/2010 06:32 AM, Patrik Martinsson wrote:
> Hello,
>
> I've almost managed to get sssd to work as I want, however I have this
> problems with groupmembers.
>
> If I do an ldapsearch on a group I get this result,
>
> ---------
> member: CN=x1,OU=People,DC=x,DC=x,DC=x
> member: CN=x2,OU=People2,OU=People,DC=x,DC=x,DC=x
> member: CN=x3,OU=People,DC=x,DC=x,DC=x
> member: CN=x4,OU=People,DC=x,DC=x,DC=x
> member: CN=x5,OU=People,DC=x,DC=x,DC=x
>
> memberUid: x1
> memberUid: x2
> memberUid: x5
> memberUid: x7
> memberUid: x8
> memberUid: x9
> ---------
>
> A college told me that the difference (between members in 'member' and
> 'memberUid') is because 'member' is the attribute set up for windows
> accounts, and 'memberUid' is for the unixaccounts, and although these
> often should be synced it could be some cases where its not (in our
> setup anyway).
>
> So what I want is getting sssd to map groupmembers to the memberUid.
>
> Here's a snippet from my sssd.conf
>
> ---------
> ldap_user_object_class = User
> ldap_user_name = sAMAccountName
> ldap_user_uid_number = uidNumber
> ldap_user_gid_number = gidNumber
> ldap_user_shell = loginShell
> ldap_user_gecos = mail
> ldap_user_principal = userPrincipalName
> ldap_user_member_of = memberOf
> ldap_user_home_directory = msSFUHomeDirectory
>
> ldap_group_object_class = Group
> ldap_group_name = cn
> ldap_group_gid_number = gidNumber
> ldap_group_member = memberuid
> # ldap_group_member = member
> # ldap_group_member = memberUid
> # ldap_group_uuid = memberUid
UUID != UID. Don't assign these to the same attribute.
> ---------
>
> I've tried different setups here but I cant really seem to figure it
> out. If I run with the above settings i get no groups for users, and the
> following is printed in sssd debug,
> ---------
> [sysdb_search_entry_done] (6) Error : Entry not found!
> [sdap_fill_memberships] (7) member #60 (x): not found!
> ---------
>
> If I use the member instead of memberuid/Uid the users are mapped to
> groups from the 'member' attribute, which seems logical, however that's
> not what I want, as I said before, I want to map usergroups against the
> memberUid.
>
When using
ldap_schema = rfc2307
which is the default if it's unspecified, the default for
ldap_group_member = memberUid
This is because RFC 2307 requires that members be a list of group names.
If you use ldap_schema = rfc2307bis, this changes group membership
lookups to use the DN format and the 'member' attribute, because RFC
2307bis (the standard ActiveDirectory normally uses) requires that
members be specified as DN entries in the LDAP server.
The only differences between the RFC 2307 and RFC2307bis format is
whether groups are looked up by 'memberuid' or 'member' attributes,
respectively. So if you want to use 'memberuid', just set 'ldap_schema =
rfc2307'
See also
https://fedorahosted.org/sssd/ticket/445 for our future plans
to support a hybrid mode that can read both attributes.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org/
iEYEARECAAYFAk0CFSYACgkQeiVVYja6o6NVkQCgkX7dnPre9xQm5CTFWO5kbi0P
2qsAoJirCpSXuaOycNNB8Q/trx1F90Sc
=FJas
-----END PGP SIGNATURE-----
_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel