#889 Wrong initgroups with LDAP provider and IPA schema
Closed: Invalid None Opened 12 years ago by jzeleny.

When performing initgroups operation against IPA server using LDAP provider with IPA schema, only the primary group is shown.

I did some research already and it seems like the memberOf attribute of the user object isn't returned to the SSSD. The same operation using IPA provider or LDAP provider with 2307bis works.

Here are relevant lines of the log:

[sdap_get_generic_ext_step] (6): calling ldap_search_ext with
  [(&(uid=testuser)(objectclass=posixAccount))]
  [cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com]
...
[sdap_get_generic_ext_step] (7): Requesting attrs: [memberOf]
...
[sdap_save_user] (7): Original memberOf is not available for [testuser].

How to reproduce:
1. Install IPA server, add a user testuser. Check that the user is member of ipausers group
2. Configure SSSD to use that IPA server for ID provider, set ldap_schema=ipa
3. id testuser

Result:[[BR]]
Only primary group (testuser) is printed out, even though ipausers should be printed out as well. Running getent group ipausers works as expected and subsequent id testuser produces correct output.


Fields changed

component: SSSD => LDAP Provider
milestone: NEEDS_TRIAGE => SSSD 1.6.0
owner: somebody => sgallagh
priority: major => minor

iirc dap_schema=ipa was added to work with IPAv1 servers. Maybe there are some specific changes which will make it fail with IPAv2 servers although I cannot explain the log messages, because IPAv2 uses memberOf, too.

This is not a bug. FreeIPA does not expose the memberOf attribute to unauthenticated users. If you bind to LDAP as e.g. Directory Manager, everything works as expected.

Similarly, binding with a host account (as with gssapi) works correctly.

resolution: => invalid
status: new => closed

Thanks for the investigation. May I suggest adding a note to the man page so it doesn't confuse anyone else?

Fields changed

rhbz: => 0

Metadata Update from @jzeleny:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.6.0

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1931

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata