[Freeipa-users] missing member in group

Dmitri Pal dpal at redhat.com
Sun Feb 17 20:23:22 UTC 2013 

On 02/17/2013 03:10 PM, Jan-Frode Myklebust wrote:
> I have the following sssd backend:
>
> ------------------------------------------------------------
>
> domains = IPALDAP
>
> [domain/IPALDAP]
> id_provider = ldap
> auth_provider = ldap
> ldap_schema = IPA
> ldap_uri = ldap://ipa1.example.net, ldap://ipa2.example.net
> ldap_search_base = dc=example,dc=net
> ldap_user_search_base = cn=users,cn=accounts,dc=example,dc=net
> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=net
> ldap_tls_cacert = /etc/ipa/ca.crt
> ldap_tls_reqcert = demand
> cache_credentials = false
> enumerate = true
> debug_level = 5
> ------------------------------------------------------------
>
> Why isn't "emilb" a member of the systemagic group???
>
> # getent group|grep systema
> systemagic:*:10031:johanl,martinh
>
>
> # ldapsearch -x -h ipa1.example.net -b cn=accounts,dc=example,dc=net
> # cn=systemagic
> # extended LDIF
> #
> # LDAPv3
> # base <cn=accounts,dc=example,dc=net> with scope subtree
> # filter: cn=systemagic
> # requesting: ALL
> #
>
> # systemagic, groups, accounts, example.net
> dn: cn=systemagic,cn=groups,cn=accounts,dc=example,dc=net
> objectClass: ipaobject
> objectClass: top
> objectClass: groupofuniquenames
> objectClass: ipausergroup
> objectClass: posixgroup
> objectClass: groupofnames
> objectClass: nestedgroup
> memberUid: susannek
> memberUid: martinh
> memberUid: johanl
> gidNumber: 10031
> cn: systemagic
> ipaUniqueID: 329e0b6e-9ec5-11e1-8777-525400b94ff0
> member: uid=johanl,cn=users,cn=accounts,dc=example,dc=net
> member: uid=martinh,cn=users,cn=accounts,dc=example,dc=net
> member: uid=emilb,cn=users,cn=accounts,dc=example,dc=net
>
> # search result
> search: 2
> result: 0 Success

1) What versions you have?

2) Do you need enumeration to be turned on?
We recommend it off unless very specific use cases.

3) Can you turn on debug level on SSSD to 9 and search debug logs
/var/log/sssd and see what happens to this group?
I suspect it is either bug that might have been fixed or the group is
filtered for some reason.

>
>
>   -jf
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list