I have an LDAP server that is configured to serve up groups, and only groups, using the rfc2307 schema. I have available to me a separate ldap authentication server. I want sssd to get identity information from both sources. It is not possible to just put the groups into the existing server, as "they" will not grant me write access nor will they agree to manage the groups.
sssd.conf is set up with two domains. The first (ldapr) is both auth and id provider. The second (groupldap) is simply an id provider (with auth_provider=none).
The problem is that initgroups() only seems to be running for the first domain.
In the first domain, gidNumber = uidNumber but there is no group with this gidNumber.
The groupldap DOES have a group with this gidNumber. It is successfully obtained with the nss_cmd_getgrgid_search call before the initgroups call finishes for USERNAME@ldapr.
The information flow is basically: Issue initgroups for ALL begin initgroups for ldapr get missing information from groupldap complete initgroups for ldapr
Here, it seems to me that it should continue with an initgroups for groupldap. It does not.
There are other groups on groupldap that have memberUid=USERNAME. There is never any search for groups with memberUid=USERNAME coming from the server (in the logs on the ldap server, or in the sssd logs), and initgroups is never called on the second domain (groupldap).
To make things more confusing, if I: getent -s sss group SOMEGROUP I get: SOMEGROUP:*:12345:USERNAME:otheruser:...
where SOMEGROUP is a posixGroup on groupldap.
So, it CAN get the group information from the groupldap domain, but it doesn't.
Is this a bug, or the expected behavior? If this is expected, how do you get it to search both?
Any help would be greatly appreciated.
-Zach
On 02/22/2013 05:39 PM, Zachary Hanson-Hart wrote:
I have an LDAP server that is configured to serve up groups, and only groups, using the rfc2307 schema. I have available to me a separate ldap authentication server. I want sssd to get identity information from both sources. It is not possible to just put the groups into the existing server, as "they" will not grant me write access nor will they agree to manage the groups.
sssd.conf is set up with two domains. The first (ldapr) is both auth and id provider. The second (groupldap) is simply an id provider (with auth_provider=none).
The problem is that initgroups() only seems to be running for the first domain.
In the first domain, gidNumber = uidNumber but there is no group with this gidNumber.
The groupldap DOES have a group with this gidNumber. It is successfully obtained with the nss_cmd_getgrgid_search call before the initgroups call finishes for USERNAME@ldapr.
The information flow is basically: Issue initgroups for ALL begin initgroups for ldapr get missing information from groupldap complete initgroups for ldapr
Here, it seems to me that it should continue with an initgroups for groupldap. It does not.
There are other groups on groupldap that have memberUid=USERNAME. There is never any search for groups with memberUid=USERNAME coming from the server (in the logs on the ldap server, or in the sssd logs), and initgroups is never called on the second domain (groupldap).
To make things more confusing, if I: getent -s sss group SOMEGROUP I get: SOMEGROUP:*:12345:USERNAME:otheruser:...
where SOMEGROUP is a posixGroup on groupldap.
So, it CAN get the group information from the groupldap domain, but it doesn't.
Is this a bug, or the expected behavior? If this is expected, how do you get it to search both?
The SSSD expectation is that identity data is domain consistent meaning that users from domain A are members of groups in domain A and users in domain B are members of domain B. There is no overlap. Also AFAIR you can't configure two connections from within one domain. What you can do is for groups use sss ldap or may be even just ldap in nsswitch.conf and use SSSD for users and configure nss_ldap for groups.
I am not sure whether that would work but it is worth a try.
Any help would be greatly appreciated.
-Zach
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Dmitri Pal <dpal <at> redhat.com> writes:
The SSSD expectation is that identity data is domain consistent meaning that users from domain A are members of groups in domain A and users in domain B are members of domain B. There is no overlap.
Thanks for the quick reply.
But, something still doesn't make sense to me. Domain A is first in the list, and returns a gidNumber of 10106 for my account. Domain A has no group with that gid. It then searched domain B for the group, and finds it. If the domains were to be treated as independent with no overlap, this should not happen, right?
This is what suggested to me that both domains would be searched. It's using information from domain B to fill in gaps in information from domain A.
Is there a pure sss way of using the union of the information from the two domains? Or, is there a way to specify a domain for sss to use for groups in the nsswitch.conf file?
Also AFAIR you can't configure two connections from within one domain. What you can do is for groups use sss ldap or may be even just ldap in nsswitch.conf and use SSSD for users and configure nss_ldap for groups. I am not sure whether that would work but it is worth a try.
I'll have a go with nss_ldap, but I would much prefer a pure sss configuration.
Thanks again for your help.
_______________________________________________sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Zachary Hanson-Hart <zachhh <at> temple.edu> writes:
Dmitri Pal <dpal <at> redhat.com> writes:
What you can do is for groups use sss ldap or may be even just ldap in nsswitch.conf and use SSSD for users and configure nss_ldap for groups. I am not sure whether that would work but it is worth a try.
This turned out to work perfectly. Leaving the authentication LDAP server in sssd.conf as both an id and auth provider gives the necessary user information, and then subsequently, nss_ldap for groups gives all of the appropriate additional groups.
nsswitch.conf: passwd: compat sss group: compat ldap ...
/etc/ldap.conf: uri ldaps://group.server ...
/etc/sssd/sssd.conf: [sssd] domains userldap ...
[domain/userldap] ldap_uri ldaps://authentication.server id_provider ldap auth_provider ldap ...
PHEW! Thanks for your advice, Dmitri.
_______________________________________________sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users <at> lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Fri, Feb 22, 2013 at 05:39:01PM -0500, Zachary Hanson-Hart wrote:
I have an LDAP server that is configured to serve up groups, and only groups, using the rfc2307 schema. I have available to me a separate ldap authentication server. I want sssd to get identity information from both
sssd can follow referrals. Is it possible to add a referral on the LDAP authentication server which points to the LDAP group server?
HTH
bye, Sumit
sources. It is not possible to just put the groups into the existing server, as "they" will not grant me write access nor will they agree to manage the groups.
sssd.conf is set up with two domains. The first (ldapr) is both auth and id provider. The second (groupldap) is simply an id provider (with auth_provider=none).
The problem is that initgroups() only seems to be running for the first domain.
In the first domain, gidNumber = uidNumber but there is no group with this gidNumber.
The groupldap DOES have a group with this gidNumber. It is successfully obtained with the nss_cmd_getgrgid_search call before the initgroups call finishes for USERNAME@ldapr.
The information flow is basically: Issue initgroups for ALL begin initgroups for ldapr get missing information from groupldap complete initgroups for ldapr
Here, it seems to me that it should continue with an initgroups for groupldap. It does not.
There are other groups on groupldap that have memberUid=USERNAME. There is never any search for groups with memberUid=USERNAME coming from the server (in the logs on the ldap server, or in the sssd logs), and initgroups is never called on the second domain (groupldap).
To make things more confusing, if I: getent -s sss group SOMEGROUP I get: SOMEGROUP:*:12345:USERNAME:otheruser:...
where SOMEGROUP is a posixGroup on groupldap.
So, it CAN get the group information from the groupldap domain, but it doesn't.
Is this a bug, or the expected behavior? If this is expected, how do you get it to search both?
Any help would be greatly appreciated.
-Zach
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Sumit Bose -
Zachary Hanson-Hart