Re: [SSSD] Group results.

Fri, 10 Dec 2010 03:39:28 -0800 

On Fri, Dec 10, 2010 at 12:32:28PM +0100, Patrik Martinsson wrote:
> Hello,
> 
> I've almost managed to get sssd to work as I want, however I have this 
> problems with groupmembers.
> 
> If I do an ldapsearch on a group I get this result,
> 
> ---------
> member: CN=x1,OU=People,DC=x,DC=x,DC=x
> member: CN=x2,OU=People2,OU=People,DC=x,DC=x,DC=x
> member: CN=x3,OU=People,DC=x,DC=x,DC=x
> member: CN=x4,OU=People,DC=x,DC=x,DC=x
> member: CN=x5,OU=People,DC=x,DC=x,DC=x
> 
> memberUid: x1
> memberUid: x2
> memberUid: x5
> memberUid: x7
> memberUid: x8
> memberUid: x9
> ---------
> 
> A college told me that the difference (between members in 'member' and 
> 'memberUid') is because 'member' is the attribute set up for windows 
> accounts, and 'memberUid' is for the unixaccounts, and although these 
> often should be synced it could be some cases where its not (in our 
> setup anyway).
> 
> So what I want is getting sssd to map groupmembers to the memberUid.
> 
> Here's a snippet from my sssd.conf
> 
> ---------
> ldap_user_object_class     = User
> ldap_user_name                     = sAMAccountName
> ldap_user_uid_number         = uidNumber
> ldap_user_gid_number         = gidNumber
> ldap_user_shell                 = loginShell
> ldap_user_gecos                 = mail
> ldap_user_principal         = userPrincipalName
> ldap_user_member_of         = memberOf
> ldap_user_home_directory = msSFUHomeDirectory
> 
> ldap_group_object_class = Group
> ldap_group_name                 = cn
> ldap_group_gid_number     = gidNumber
> ldap_group_member                = memberuid
> # ldap_group_member                = member
> # ldap_group_member                = memberUid
> # ldap_group_uuid                    = memberUid
> ---------
> 
> I've tried different setups here but I cant really seem to figure it 
> out. If I run with the above settings i get no groups for users, and the 
> following is printed in sssd debug,
> ---------
> [sysdb_search_entry_done] (6) Error : Entry not found!
> [sdap_fill_memberships] (7) member #60 (x): not found!
> ---------
> 
> If I use the member instead of memberuid/Uid the users are mapped to 
> groups from the 'member' attribute, which seems logical,  however that's 
> not what I want, as I said before, I want to map usergroups against the  
> memberUid.
> 
> I would appreciate any tips or recommendations around this matter.

IIRC you have to set

ldap_schema = rfc2307

if you want to use memberUid (a list of user names instead a list of DNs)

HTH

bye,
Sumit

> 
> Best regards,
> Patrik Martinsson, Sweden.
> 
> 
> 
> 
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to