Hello,
I have a groupOfUniqueNames in my ldap (xv64ut09), which has as a uniqueMember the DN of another groupOfUniqueNames. In this last group are my user values.
In my sssd configuration I use a filter like this: ldap_user_search_base = ou=people,dc=fu,dc=bar,dc=com??(&(memberOf=cn=xv64ut09,ou=groups,dc=fu,dc=bar,dc=com)(objectClass=*))
The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09).
I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis...
Thanks.
--On Wednesday, February 10, 2016 9:50 AM +0000 Miltos Tereres fo_ko@outlook.com wrote:
The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09).
I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis...
I'm not clear what you mean by nested group? Do you mean another group that's a child entry of the parent? If so, then no, your filter wouldn't work for that. It is clearly only looking at users that specifically are members of the xv64ut09 group.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Quanah Gibson-Mount wrote:
--On Wednesday, February 10, 2016 9:50 AM +0000 Miltos Tereres fo_ko@outlook.com wrote:
The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09).
I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis...
There is nothing in the server or in the LDAP protocol that supports nested groups. As such, it is the client's responsibility to process them if it wants them. So you need to look into sssd's documentation.
I'm not clear what you mean by nested group? Do you mean another group that's a child entry of the parent? If so, then no, your filter wouldn't work for that. It is clearly only looking at users that specifically are members of the xv64ut09 group.
On Thu, Feb 11, 2016 at 03:45:10AM +0000, Howard Chu wrote:
Quanah Gibson-Mount wrote:
--On Wednesday, February 10, 2016 9:50 AM +0000 Miltos Tereres fo_ko@outlook.com wrote:
The problem is that this doesn't work if the user values are in a nested group, it only works if the users are in my main group (xv64ut09).
I would guess that linux / sssd can support this type of nesting. Is there a change that needs to be done from the ldap server side, in the schema, or maybe something else that I have missed? I am using the rfc2307bis...
There is nothing in the server or in the LDAP protocol that supports nested groups. As such, it is the client's responsibility to process them if it wants them. So you need to look into sssd's documentation.
A good place to start is: https://fedorahosted.org/sssd/wiki/Troubleshooting
Anyhow, this question is probably better suited for the sssd-users mailing list.
openldap-technical@openldap.org
-
Howard Chu -
Jakub Hrozek -
Miltos Tereres -
Quanah Gibson-Mount