On 02/15/2013 04:01 PM, Orion Poplawski wrote: > On 02/15/2013 01:42 PM, John Dennis wrote: >> On 02/15/2013 02:23 PM, Orion Poplawski wrote: >>> On 02/15/2013 12:01 PM, Orion Poplawski wrote: >>>> >>>> I've been trying to track down any bugs I may have filed without >>>> success, but >>>> I'm pretty sure I tried at first adding a system user to LDAP groups >>>> and that >>>> not working unless the system user was in LDAP. This may have been >>>> before I >>>> started using SSSD on the servers so I'll need to retest this. >>> >>> This still appears to be the case. As soon as I removed the system >>> user from >>> our current ldap database, id now longer reported any other group >>> memberships. >>> This is with the default using "memberUid" for group membership. >>> With the >>> IPA schema of recording group membership with the full dn, it seems >>> the user >>> would have to be in the database to have a dn. >> >> Yes you're right, the user has to exist in LDAP in order to be a >> member of a >> group managed in LDAP. >> >> Your other alternative is not put these system users in LDAP and >> instead use >> local users & groups managed via some other mechanism (puppet?). >> > > I've been testing with puppet, but that doesn't work. It detects the > groups presence in ldap, so doesn't add them to /etc/group, then when it > goes to add apache to the various groups, that fails. Possibly could > missing functionality in puppet, but not a solution at the moment. >
sssd.conf has some filter directives that will prevent sssd from looking up the specified users/groups. That should prevent puppet from detecting the LDAP group. -- ----- *question everything*learn something*answer nothing* ------------ Lucas Yamanishi ------------------ Systems Administrator, ADNET Systems, Inc. 7515 Mission Drive, Suite A100 Lanham, MD 20706 * 301-352-4646 * 0xE23F3D7A _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users