During some days I've been working on a LDAP integration. Now, after configure almost everything that I needed, I came up with this last wall: The need of use secondary groups which are taken from the LDAP server.
Behaviour:
[root@sr-servicesLin ~]# id hmr
uid=2956(hmr) gid=10000(ldapusers) groups=10000(ldapusers)
[root@sr-servicesLin ~]# getent group repo
repo:*:25958:
[root@sr-servicesLin ~]# groups hmr
hmr : ldapusers
Content of repo group (it's a LDAP group):
[root@sr-dns ~]# ldapsearch -x -H ldaps://ldap.eibind.iss -b "dc=eibind,dc=iss" "(&(objectclass=posixGroup)(cn=repo)(gidNumber=*))"
# extended LDIF
#
# LDAPv3
# base <dc=eibind,dc=iss> with scope subtree
# filter: (&(objectclass=posixGroup)(cn=repo)(gidNumber=*))
# requesting: ALL
#
# repo, Groups, eibind.iss
dn: cn=repo,ou=Groups,dc=eibind,dc=iss
objectClass: posixGroup
objectClass: top
cn: repo
memberUid: hmr
memberUid: jcontreras
memberUid: hectoriss
gidNumber: 25958
# search result
search: 2
result: 0 Success
The scenario:
OS: Centos 6.7
Packages:
· ldap running with ssl
· sssd installed
· nss-pam-ldapd
The problem is:
When I use id command I'm not getting the secondary groups of every user, just the principal one (which comes from LDAP, so there is a connection).
I'm going to paste the main config files, I think that I put everything in the correct place. Surfing between sites, I read that is not recommended to have sssd and nsswitch configured at the same time, like configure ldap and sss for "parse" all the desired data from the server, that it could be a mess for the server or something like that. Despite of this, I wrote ldap and sss as a data sources.
nsswitch.conf
#
# /etc/nsswitch.conf
#
passwd: files ldap sss
shadow: files ldap sss
group: files ldap sss
#hosts: db files nisplus nis dns
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files ldap sss
netgroup: files ldap sss
publickey: nisplus
automount: files ldap sss
aliases: files ldap nisplus
As you can see, I'm asking to ldap and sss (sssd) about the passwd, shadow and groups. Combined with this config, I also have the sssd.conf file, which is the following:
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = default
[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
[pam]
[domain/default]
ldap_tls_reqcert = allow
auth_provider = ldap
ldap_schema = rfc2307bis
krb5_realm = eibind.iss
ldap_search_base = dc=eibind,dc=iss
ldap_group_member = uniqueMember
id_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
ldap_uri = ldaps://ldap.eibind.iss/
#ldap_user_object_class = user
#ldap_group_object_class = group
#ldap_group_search_base = OU=Groups,DC=eibind,DC=iss
#ldap_group_search_scope = one
#ldap_group_object_class = group
ldap_chpass_uri = ldaps://ldap.eibind.iss/
krb5_kdcip = ldap.eibind.iss
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/cacerts
entry_cache_timeout = 600
ldap_network_timeout = 3
krb5_server = ldap.eibind.iss
autofs_provider = ldap
[autofs]
Here we can see that I'm using ldap_schema = rfc2307bis and ldap_group_member = uniqueMember.
I say that because I found over the net that I should change ldap_schema = rfc2307bis to ldap_schema = rfc2307 but it still does not work.
Also, there are some commented lines which I previously tried but without success.
To finish, I'm going to paste the nslcd.conf. In here I just followed this tutorial: https://arthurdejong.org/nss-pam-ldapd/setup , so my config file is as it comes plus these following lines:
# This comment prevents repeated auto-migration of settings.
uri ldap://ldap.eibind.iss/
base dc=eibind,dc=iss
uid nslcd
gid nslcd
I have to be missing something, some value, some stupid config. Probably I spend around 3-4 days looking at this, so any help with be very grateful.
Thanks in advance.
