On Wed, Apr 15, 2015 at 02:17:38PM +0200, Thomas HUMMEL wrote:
On Wed, Apr 15, 2015 at 08:41:38AM +0200, Jakub Hrozek wrote:
> I think this means the frontend (responder) either checks too soon
But in that case wouldn't it see no answer instead of wrong or incomplete answer ?
I suspected that the user entry is written but not the groups.
> or the back end wrote incomplete data.
My undestanding is that it can be valid (for the backend to write incomplete
data) and that it has something to do with the 'fake group' concept (which is
why I was asking you how they worked previously) : is that correct ?
A shot in the dark but maybe worth a try - can you try disabling the
ldap_purge_cache_timeout = 0
in the [domain] section. The cleanup might cause some groups with no
members to be removed, I wonder if that is your case..