While I have seen similar posts to the list while digging through the
archive, I cannot find this question specifically answered. We are coming
from OpenLDAP and migrating to FreeIPA on CentOS 7.5. We are using indirect
memberships to make this migration easier as we are moving from an
organically grown OpenLDAP to a very structured FreeIPA implementation.
What seems to be happening is that indirect memberships don't show using
the standard Linux tools. Using either "id" or "groups" doesn't show any
indirect memberships yet the permissions seem to still work properly. This
is causing some confusion with our team.

Group B is a member of Group A and the user is also a direct member of
groups C and D.  When using "id" for a given user it returns B, C, D and
not A. However I can create a file owned by user root and group A with 550
permissions and the user can view the contents of the file. "ipa user-show"
shows the proper memberships with A being an indirect membership.

Is this the expected behavior when using indirect memberships? If so, does
one abandon the standard CLI tool and use only ipa commands? I am fully
aware this could be a configuration issue but I have yet to find the
correct configuration to expose indirect membership to the standard Linux
tools.

-- 

Regards,

Mark L. Potter
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to