TechQA.

Os doesn't see users secondary group from LDAP server

3.8k views Asked by At

Cheers,

I have a problem with CentOS 6x + PAM (1.1.1-17.el6) via SSSD (1.9.2-129.el6) via LDAP (openldap 2.4.23-32.el6_4.1).

It's configured in the way users can enter the system with credentials stored in LDAP server and it works well. The one problem is that 'id' doesn't show additional groups that are created in the ldap database.

So, once more - OS doesn't see additional groups that are configured in ldap but the main group that is entered in the ldap is ok.

In the nsswitch.conf:


    passwd:     files sss
    shadow:     files sss
    group:      files sss

In the sssd.conf:


    [sssd]
    config_file_version = 2
    services = nss, pam, sudo
    enumerate = true
    domains = LDAP

    [nss]
    filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
    filter_groups = root,bin,daemon,sys,adm,disk,wheel

    [pam]

    [domain/LDAP]
    #debug_level = 9

    id_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    access_provider = ldap
    sudo_provider = ldap

    ldap_schema = rfc2307bis

    ldap_uri = ldap://localhost
    ldap_chpass_uri = ldap://localhost
    ldap_id_uri = ldap://localhost
    ldap_auth_uri = ldap://localhost


    ldap_search_base = dc=domain,dc=com
    ldap_user_search_base = ou=people,dc=domain,dc=com
    ldap_group_search_base = ou=groups,dc=domain,dc=com
    ldap_access_filter = (groupMembership=cn=shell,ou=groups,dc=domain,dc=com)

    enumerate = true
    ldap_enumeration_refresh_timeout=60
    cache_credentials = False
    entry_cache_timeout = 60
    ldap_network_timeout = 3

System produces folowing result:


    id ttest
    uid=10000(ttest) gid=501(shell) группы=501(shell)

    getent group core
    core:*:10000:

In the LDAP user ttest has main group 'shell' and is included to group 'core' as well. Here is a query from LDAP database:


    ldapsearch -x -b 'ou=people,dc=domain,dc=com' '(objectclass=*)'
    # extended LDIF
    #
    # LDAPv3
    # base  with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # people, domain.com
    dn: ou=people,dc=domain,dc=com
    ou: people
    objectClass: top
    objectClass: organizationalUnit

    # core, groups, domain.com
    dn: cn=core,ou=groups,dc=domain,dc=com
    objectClass: posixGroup
    gidNumber: 10000
    memberUid: ttest
    cn: core

Please advice what should i check / do in configuration that will allow system to see the 'core' group like regular user's secondary group in 'id' etc.

Thanks!

unix ldap centos redhat pam
Original Q&A
1

There are 1 answers

0
user2959738 On BEST ANSWER

The solution was pretty simple. That's all about my inattention...

I used 'rfc2307bis' schema in sssd configuration while it was needed to use 'rfc2307'.

That was the reason why groups were not listed in the respose.

Thanks for everybody who spent some time on this issue.

Related Questions in UNIX

Related Questions in LDAP

Related Questions in CENTOS

Related Questions in REDHAT

Related Questions in PAM

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions