Justin Edmands wrote:
Thank god you got that off of your chest. the solution is:
And OpenLDAP actually has a knowledgeable community that responds to posts, and gives correct answers.
/etc/sssd/sssd.conf [domain/default] .. ldap_group_member = memberUid
You should look into switching to RFC2307bis; using non-DNs for references within an LDAP directory is a really bad idea.
ldap_group_search_base = ou=Group,dc=mysite,dc=com ..after flushing cache, the clients see the proper groups.
That should concern you too. You're now knowingly relying on a caching mechanism that serves stale data for your systems' base security. You should look into using OpenLDAP nssov+pcache instead; pcache has active cache refresh among other things so you don't need to restart or flush anything to keep your system security up to date.