#3186 LDAP provider doesn't show group member
Closed: Invalid None Opened 4 years ago by pcech.

Reproducer

# PREPARING
ipa user-add --first=Test --last=User1 --email=u1@domain.sssd cmt_user_1

# REPRODUCER

systemctl daemon-reload
sudo su -c "truncate -s0 /var/log/sssd/*.log"
sudo su -c "rm -f /var/lib/sss/db/*" 
sudo su -c "rm -f /var/lib/sss/mc/*"
sudo systemctl restart sssd.service

getent passwd cmt_user_1

ipa group-add cmt_group_1
ipa group-add-member --users=cmt_user_1 cmt_group_1
sss_cache -UG

getent group cmt_group_1

# CLEANING
ipa group-del cmt_group_1
ipa user-del cmt_user_1

Output

-----------------------
Added user "cmt_user_1"
-----------------------
  User login: cmt_user_1
  First name: Test
  Last name: User1
  Full name: Test User1
  Display name: Test User1
  Initials: TU
  Home directory: /home/cmt_user_1
  GECOS: Test User1
  Login shell: /bin/sh
  Kerberos principal: cmt_user_1@BETA
  Email address: u1@domain.sssd
  UID: 1703800077
  GID: 1703800077
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
cmt_user_1:*:1703800077:1703800077:Test User1:/home/cmt_user_1:/bin/sh
-------------------------
Added group "cmt_group_1"
-------------------------
  Group name: cmt_group_1
  GID: 1703800078
  Group name: cmt_group_1
  GID: 1703800078
  Member users: cmt_user_1
-------------------------
Number of members added 1
-------------------------
cmt_group_1:*:1703800078:
# ^^^ BUG (cmt_user_1 missing)
---------------------------
Deleted group "cmt_group_1"
---------------------------
-------------------------
Deleted user "cmt_user_1"
-------------------------

Fields changed

owner: somebody => pcech

Configuration:

[domain/ldap.beta]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307bis
ldap_uri = ldaps://algol.beta/
ldap_search_base = dc=beta
ldap_user_search_base = cn=users,cn=accounts,dc=beta
ldap_group_search_base = cn=groups,cn=accounts,dc=beta
ldap_netgroup_search_base = dc=beta
ldap_tls_cacert = /etc/ipa/ca.crt
entry_cache_timeout = 30
debug_level = 0xFFFF0
timeout = 50000

[sssd]
services = nss, sudo, pam, ssh
domains = ldap.beta
debug_level = 0xFFFFFF0

[nss]
homedir_substring = /home

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.14.2

I am not sure if we should except that member will be right resolve as member of group if he/she is added via freeIPA server.
I will test this case with AD server, so LDAP records will be handled in right way.

Fields changed

status: new => assigned

This is not a bug.

We need authentication in [domain/ldap.beta] section of sssd.conf:

ldap_sasl_mech = gssapi
krb5_server = algol.beta
krb5_realm = BETA

resolution: => invalid
status: assigned => closed

Metadata Update from @pcech:
- Issue assigned to pcech
- Issue set to the milestone: SSSD 1.14.2

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4219

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata