Bug 1346294

Summary: ldap_group_external_member is no set for the IPA provider
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: high Docs Contact:
Priority: high    
Version: 7.2CC: grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mvarun, mzidek, pbrezina
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1356433 (view as bug list) Environment:
Last Closed: 2016-11-04 07:19:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1356433    

Description Sumit Bose 2016-06-14 13:25:41 UTC 
Description of problem:
To fix #1311569 a new option ldap_group_external_member was added which should enable to IPA provider to read the external group members form the given attribute. Unfortunately ldap_group_external_member is not set by default and must be specified as 'ldap_group_external_member = ipaexternalmember' in sssd.conf to fix #1311569. It would be good to set it by default for the IPA provider.
Comment 3 Jakub Hrozek 2016-06-27 12:32:54 UTC 
Since the bug was only in the 7.2.z backport of the patches, marking as MODIFIED. The correct code is already in te 7.3 rebase.
Comment 8 Varun Mylaraiah 2016-08-12 11:34:54 UTC 
Verified

# rpm -q ipa-server sssd
ipa-server-4.4.0-7.el7.x86_64
sssd-1.14.0-18.el7.x86_64

# ipa group-add testgrp02
-----------------------
Added group "testgrp02"
-----------------------
  Group name: testgrp02
  GID: 64000014

# ipa group-add --desc='external group' ext_testgrp02 --external
---------------------------
Added group "ext_testgrp02"
---------------------------
  Group name: ext_testgrp02
  Description: external group

# ipa group-add-member ext_testgrp02 --external "ADTEST2.QE\adgroup1"
[member user]: 
[member group]: 
  Group name: ext_testgrp02
  Description: external group
  External member: S-1-5-21-1869981227-3608374679-2281468898-1106
-------------------------
Number of members added 1
-------------------------

# ipa group-add-member testgrp02
[member user]: 
[member group]: ext_testgrp02
  Group name: testgrp02
  GID: 64000014
  Member groups: ext_testgrp02
-------------------------
Number of members added 1
-------------------------

# getent group adgroup1
adgroup1:*:665801106:aduser1,aduser2

# getent group testgrp02
testgrp02:*:64000014:aduser2,aduser1
Comment 10 errata-xmlrpc 2016-11-04 07:19:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html