Justin Edmands wrote:
> Hey,
> Certainly new to migrations of LDAP. I migrated our old setup from
> OpenLDAP to
> 389 Directory Server. When using the "id" command on an LDAP client, it
> only
> returns uid,gid, and one group. It for some reason does not show all of
> the
> actual groups that the user is associated with. What is set to return
> these
> values and what setting ensures they are properly mapped from OpenLDAP to
> 389DS?
>
> ### OpenLDAP example: ###
>
> [root openldapclient ~]# id jedmands
> uid=9999(jedmands) gid=100(users)
> groups=100(users),5000(**manager),5001(linuxadmin),**
> 5002(storageadmin),5003(**dbadmin),5004(webadmin),5006(**it)
>
> ### 389 DS Example: ###
>
> [root 389dsclient ~]# id jedmands
> uid=9999(jedmands) gid=100(users) groups=100(users)
>
> Notes:
> Posted this to the 389-users list, nothing received.
> We are using the memberOf plugin for 389DS.
> I don't know too much about the openldap environment. I moved to CentOS 6
> and
> figured DS was the way to go with SSL/TLS
>
I'm pretty sure you figured wrong. OpenLDAP actually works, implements the
LDAP RFCs correctly, and outperforms all other LDAP servers. Compared to
389DS, OpenLDAP bulk-loads data 2x faster, uses 10% less space on disk,
answers search queries 4x faster, and uses 50% less RAM to do it. (Also
answers Binds 6x faster, and performs updates 11x faster.) 389DS is a
hulking pile of obsolete code; the only reason it still exists today is
because RedHat has support contracts for RedHatDS from customers too
ignorant to realize how bad the product they've paid for actually is.
--
-- Howard Chu
CTO, Symas Corp.
http://www.symas.com
Director, Highland Sun
http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
http://www.openldap.org/**project/<http://www.openldap.org/project/>
Thank god you got that off of your chest. the solution is:
/etc/sssd/sssd.conf
[domain/default]
..
ldap_group_member = memberUid
ldap_group_search_base = ou=Group,dc=mysite,dc=com
..
after flushing cache, the clients see the proper groups.