Bug 627021
Summary: | nss group not working properly | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Brian LaMere <brianlamere> | ||||||||
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | ||||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | low | ||||||||||
Version: | 13 | CC: | jhrozek, sbose, sgallagh, ssorce | ||||||||
Target Milestone: | --- | ||||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2010-08-24 22:52:54 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Brian LaMere
2010-08-24 21:24:14 UTC
Created attachment 440777 [details]
sssd_LDAP.log (sanitized)
Created attachment 440778 [details]
sssd_nss.log (sanitized)
note that I don't see memberUid as defined for the groups within 389 Directory Server; but as mentioned, this doesn't keep other services (nslcd, nscd, etc) from working properly. I can change how users are created if necessary, I'm just wanting to verify that sssd needs something different than what nslcd requires. Also note that if I weren't trying to move to sssd, then it wouldn't be an issue; I never know if I come off as harsh in a bug report ;) one last comment - In my initial comment I said I tested an ldapsearch against member; that was a second test, I also tested using memberuid. Secondly, while I don't see memberUid defined for groups, it is listed as an allowed attribute, and I can set it. When I do set it, sssd works (for that one group). neither nslcd nor nscd required I set this, however; for those, I'm guessing they used the uniqueMember attribute, which has member dn's instead? ============================== [root@c03c01 sssd]# ldapsearch -x -LLL "cn=testgroup" dn: cn=testgroup,ou=Groups,dc=EXAMPLE,dc=com memberUid: brian cn: testgroup uniqueMember: uid=testuser,ou=People,dc=EXAMPLE,dc=com objectClass: top objectClass: groupofuniquenames objectClass: posixgroup gidNumber: xxxx [root@c03c01 sssd]# ======================= Final note: Putting members in to groups using the 389 console (the GUI for Fedora Directory Server) does not assign the memberUid attribute. Again, just verifying that this attribute is intended to be required by sssd when it doesn't seem to be by what it replaces; I can change the ldif changetype:modify and changetype:add templates I use (since in production, the users will be created via batch processes, not a GUI) to assign the memberUid if so. Your server is using the rfc2307bis schema with the uniqueMember attribute for group members. You want to change ldap_schema to: ldap_schema = rfc2307bis and add: ldap_group_member = uniqueMember According to http://fedoraproject.org/wiki/Talk:Design/SSSD#24_Feb_2010 - 389 uses rfc2307 (user "Duffy" made that comment), not rfc2307bis. The difference between rfc2307 and rfc2307bis is that the former uses "memberUid," and the later "member," I thought? That's what the example in sssd.conf says, at least. No mention of "uniqueMember" that I see. At the very least, if FreeIPA and 389 Directory Server both do rfc2307bis, shouldn't sssd default to the same thing the Fedora products sssd would most likely be connecting to, use? And Duffy's suggestion of having 389 use rfc2307 would apparently be incorrect. But yes, making those changes does make it work. Thanks :) |