2 LDAP BE, One proxy and One native ldap, return users from first domain twice and do not return second domain users #1228

sssd-bot · 2020-05-02T11:59:48Z

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/186

Created at 2009-09-16 21:45:06 by jgalipea
Closed as Invalid
Assigned to sgallagh

Description[[BR]]
With two LDAP domains configured, one native and one proxy, the users from the first domain are returned twice and the users from the second domain are not returned.[[BR]]

Configuration[[BR]]
sssd.conf:[[BR]]

[services]
description =  Local Service Configuration
activeServices = nss, pam
reconnection_retries = 3

[services/nss]
description = NSS Responder Configuration
filterGroups = root
filterUsers = root
debug-level = 4

[services/dp]
description = Data Provider Configuration
debug-level = 4

[services/pam]
description = PAM Responder Configuration

[services/monitor]
description = Service Monitor Configuration

[domains]
description = Domains served by SSSD
domains = EXAMPLE.COM,BOS.REDHAT.COM

[domains/EXAMPLE.COM]
description = Request to our EXAMPLE.COM LDAP server
enumerate = TRUE
minId = 1000
maxId = 1010
useFullyQualifiedNames = TRUE
cache-credentials = FALSE

provider = ldap
ldapUri = ldap://jennyv4.bos.redhat.com:389
userSearchBase = ou=people,dc=example,dc=com
groupSearchBase = ou=groups,dc=example,dc=com

[domains/BOS.REDHAT.COM]
description = Request to our BOS.REDHAT.COM LDAP server
enumerate = TRUE
useFullyQualifiedNames = TRUE
cache-credentials = FALSE

provider = proxy
libName = ldap
libPath = libnss_ldap.so.2

ldap.conf:[[BR]]

uri ldap://jennyv4.bos.redhat.com:389
ssl no
base dc=example,dc=com

The following is returned for user search:[[BR]]

[root@jennyF11 ~]#  getent -s sss passwd
puser1@EXAMPLE.COM:x:1001:1001::/export/puser1:
puser2@EXAMPLE.COM:x:1002:1002::/export/puser2:
puser1@BOS.REDHAT.COM:x:1001:1001:Posix User1:/export/puser1:
puser2@BOS.REDHAT.COM:x:1002:1002:Posix User2:/export/puser2:
puser4@BOS.REDHAT.COM:x:1011:1011:Posix User4:/export/puser4:

The following is returned for a group search [[BR]]

[root@jennyF11 ~]#  getent -s sss group
Duplicate@EXAMPLE.COM:x:1010:
Group1@EXAMPLE.COM:x:1001:
Group2@EXAMPLE.COM:x:1002:
Duplicate@BOS.REDHAT.COM:x:1010:
Group1@BOS.REDHAT.COM:x:1001:
Group2@BOS.REDHAT.COM:x:1002:
Group4@BOS.REDHAT.COM:x:1011:

Expected users "user2000@BOS.REDHAT.COM" and "user2009@BOS.REDHAT.COM" from the second domain.[[BR]]
Expected groups "group2000@BOS.REDHAT.COM" and "Duplicate@BOS.REDHAT.COM" from the second domain.

Comments

Comment from sgallagh at 2009-09-17 20:14:12

Fields changed

owner: somebody => sgallagh
status: new => assigned

Comment from sgallagh at 2009-09-17 20:24:19

This is a configuration bug. You have both domains pointing at the same LDAP server, though one has a less restrictive id range specified.

resolution: => invalid
status: assigned => closed

Comment from dpal at 2012-01-19 02:19:06

Fields changed

rhbz: => 0

Comment from jgalipea at 2017-02-24 15:09:13

Metadata Update from @jgalipea:

Issue assigned to sgallagh
Issue set to the milestone: SSSD 0.6.0

The text was updated successfully, but these errors were encountered:

sssd-bot added the Closed: Not a bug label May 2, 2020

sssd-bot closed this as completed May 2, 2020

sssd-bot assigned sgallagher May 2, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2 LDAP BE, One proxy and One native ldap, return users from first domain twice and do not return second domain users #1228

2 LDAP BE, One proxy and One native ldap, return users from first domain twice and do not return second domain users #1228

sssd-bot commented May 2, 2020