Home‎ > ‎Server config‎ > ‎

Enabling secondary group retrieval from FreeBSD LDAP server

In order for Linux LDAP clients to retrieve all groups for a user, including secondary groups, from a FreeBSD OpenLDAP server, a few changes have to be made on the client side.

Firstly, the rfc2307bis schema exists only on Linux. Its not known to BSD Unix. Therefore, the alternative "rfc2307" schema has to be used, which corresponds to a known schema on Unix.
Further, in this schema, the field "ldap_group_member" on Linux is known as "uniquemember". This is wrong, and has to be changed to "memberUid".

So, edit /etc/sssd/sssd.conf on the Linux client, and change those fields (as below), and restart service sssd. That should do it. No changes required server side. A new group can now be added on the LDAP server, and users assigned to it. The client will retrieve those, and honour all group related permissions and actions.

This has been implemented and tested and should work on all versions of RHEL 6/7 and CentOS 6/7.

/etc/sssd/sssd.conf:
####################################################
[domain/default]
debug_level = 1
ldap_tls_reqcert = never
auth_provider = ldap

# JWS
#ldap_schema = rfc2307bis
ldap_schema = rfc2307

krb5_realm = #
ldap_search_base = dc=bi,dc=up,dc=ac,dc=za

# JWS
#ldap_group_member = uniquemember
ldap_group_member = memberUid

id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldap://auth.bi.up.ac.za
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
autofs_provider = ldap

[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]
homedir_substring = /home
[autofs]

[pam]

####################################################