Two different Linux servers (CentOS & Ubuntu) on my LAN cannot see certain members of an AD group when performing an LDAP query.
We're setting up a software appliance which can use LDAP for authentication. To limit the number of internal users that can access the appliance, I created a 'filetransfer' group in our AD and added 8 users to it.
I have tried performing the following LDAP query with CentOS 6.5 and Ubuntu 12.04.4:
ldapsearch \
"(memberof=CN=FileTransfer,OU=Security Groups,DC=domain,DC=local)" \
dn -x -W -D 'cn=ldapquery,ou=user accounts,dc=domain,dc=local' -LLL
And here are the results:
dn: CN=Eva ,OU=User Accounts,DC=domain,DC=Local
dn: CN=Simon ,OU=User Accounts,DC=domain,DC=Local
dn: CN=Eric ,OU=User Accounts,DC=domain,DC=Local
dn: CN=Ronald ,OU=User Accounts,DC=domain,DC=Local
# refldap://ForestDnsZones.domain.Local/DC=ForestDnsZones,DC=domain,DC=Local
# refldap://DomainDnsZones.domain.Local/DC=DomainDnsZones,DC=domain,DC=Local
# refldap://domain.Local/CN=Configuration,DC=domain,DC=Local
The AD group contains 8 members, but the LDAP query is only returning 4.
I have deleted and recreated the group; no joy.
I have added new test user accounts to the group and they don't show up even after leaving things over the weekend.
I know that the domain is syncing properly, because as soon as I remove one of the 'visible' users – the LDAP query reflects the change on both Linux servers.
Can anyone explain this weirdness?
Best Answer
Correct. These are direct group members - not nested.
A temporary solution to my problem is to use an administrative account to do the LDAP query.
Somehow certain AD objects were not readable by the generic account I was using (the LDAP query account did not have the
read group membership
permission) - adding that right to my generic LDAP query account fixed the issue permanently.