#4403 [RFE] compat tree: show AD members of IPA groups
Closed: Fixed None Opened 7 years ago by sbose.

Currently in an environment with trust to AD the compat tree does not show AD users as members of IPA groups. The reason is that IPA groups are read directly from the IPA DS tree and external groups are not handled.


External group memberships seem to be broken for legacy clients. We should fix this in 4.0.x if possible.

Assigning to Alexander, he knows slapi-nis well. This may be also fixed together with other slapi-nis changes in FreeIPA 4.1.

FreeIPA 4.0.1 was released, moving to next bugfixing release milestone.

I am moving rather to 4.1 milestone as this as an RFE (also, the change would be done in slapi-nis component anyway).

There was no time for this ticket in 4.1 - moving to later release.

This would require some serious work in slapi-nis. It may be a potential target after Global Catalog work (#3125).

FreeIPA slapi-nis config part of the ticket filed downstream.

slapi-nis plugin contains new functionality to solve this ticket.

Its configuration needs to be updated on IPA server.

ipa-4-3:

  • eb187e9 slapi-nis: update configuration to allow external members of IPA groups
  • 5e2c6b0 spec: Bump required sssd version to 1.13.3-5

master:

  • 1353847 slapi-nis: update configuration to allow external members of IPA groups
  • 271086e spec: Bump required sssd version to 1.13.3-5

ipa-4-2:

  • fea62ea spec: Bump required sssd version to 1.13.3-5
  • dbea05e slapi-nis: update configuration to allow external members of IPA groups

Metadata Update from @sbose:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.2.4

4 years ago

Login to comment on this ticket.

Metadata