In order for Linux LDAP clients to retrieve all groups for a user, including secondary groups, from a FreeBSD OpenLDAP server, a few changes have to be made on the client side. Firstly, the rfc2307bis schema exists only on Linux. Its not known to BSD Unix. Therefore, the alternative "rfc2307" schema has to be used, which corresponds to a known schema on Unix. Further, in this schema, the field "ldap_group_member" on Linux is known as "uniquemember". This is wrong, and has to be changed to "memberUid". So, edit /etc/sssd/sssd.conf on the Linux client, and change those fields (as below), and restart service sssd. That should do it. No changes required server side. A new group can now be added on the LDAP server, and users assigned to it. The client will retrieve those, and honour all group related permissions and actions. This has been implemented and tested and should work on all versions of RHEL 6/7 and CentOS 6/7. /etc/sssd/sssd.conf: #################################################### [domain/default] debug_level = 1 ldap_tls_reqcert = never auth_provider = ldap # JWS #ldap_schema = rfc2307bis ldap_schema = rfc2307 krb5_realm = # ldap_search_base = dc=bi,dc=up,dc=ac,dc=za # JWS #ldap_group_member = uniquemember ldap_group_member = memberUid id_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap ldap_uri = ldap://auth.bi.up.ac.za cache_credentials = True ldap_tls_cacertdir = /etc/openldap/cacerts entry_cache_timeout = 600 ldap_network_timeout = 3 autofs_provider = ldap [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home [autofs] [pam] #################################################### |
Home‎ > ‎Server config‎ > ‎