Arun Khan
2013-Oct-08 19:47 UTC
[CentOS] sssd - ldap uid/gid does not match with uid/gids in the openLDAP DS
CentOS 6.4 (amd64) client desktop with SSSD installed+configured to do LDAP AUTH from an openLDAP DS. Groups in LDAP DS -- dsusers (for all users), project1, project2, .... The objective is to give group permissions to directory trees with users belonging to various groups; users thereby inheriting the ACL given to respective groups. Test case -- uid: jdoe, gid: dsusers (primary) On LDAP client workstation - id jdoe shows uid+gid as above. Then I add uid jdoe to the 'project1' group in the openLDAP DS. On the client workstation - id jdoe shows member of 'dsusers' only. Thinking it could be due to local cache, I have deleted the files in /var/lib/sss/db/ and still id jdoe reports member of dsusers only. I have also waited > 5 mins. expecting the client side cache to be updated but still the same issue. jdoe does not show up as member of project1. In order for jdoe to show up as member of 'project1' group, I have to restart sssd. In sssd.conf, in the domain section enumerate=FALSE. I would appreciate any pointers to shorten the client side updates regarding uid+gid association. TIA. -- Arun Khan
Paul Heinlein
2013-Oct-08 20:59 UTC
[CentOS] sssd - ldap uid/gid does not match with uid/gids in the openLDAP DS
On Wed, 9 Oct 2013, Arun Khan wrote:> CentOS 6.4 (amd64) client desktop with SSSD installed+configured to do > LDAP AUTH from an openLDAP DS. > > Groups in LDAP DS -- dsusers (for all users), project1, project2, .... > > The objective is to give group permissions to directory trees with > users belonging to various groups; users thereby inheriting the ACL > given to respective groups. > > Test case -- > uid: jdoe, > gid: dsusers (primary) > > On LDAP client workstation - id jdoe shows uid+gid as above. > > Then I add uid jdoe to the 'project1' group in the openLDAP DS. > > On the client workstation - id jdoe shows member of 'dsusers' only. > > Thinking it could be due to local cache, I have deleted the files in > /var/lib/sss/db/ and still id jdoe reports member of dsusers only. > > I have also waited > 5 mins. expecting the client side cache to be > updated but still the same issue. jdoe does not show up as member of > project1. > > In order for jdoe to show up as member of 'project1' group, I have to > restart sssd. > > In sssd.conf, in the domain section enumerate=FALSE. > > I would appreciate any pointers to shorten the client side updates > regarding uid+gid association.Th default entry_cache_timeout is 5400 seconds, an hour and a half, probably well beyond the "> 5 mins" you waited. I set "entry_cache_timeout = 600" in the domain section section of the standard sssd.conf for CentOS machines. You can set entry_cache_group_timeout specifically if you need more frequent checks for group entries. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W