Ldap groups sync groups is failing with "entry would search outside of the base dn specified"

Solution Verified - Updated -

Issue

  • sync groups failing to synchronize user members outside the usersQuery base dn specified even if the user dn suffix matches it. The error should be like this, for instance:
I0704 15:38:22.006947   27224 ldapinterface.go:99] membership lookup for user "cn=ipausers,cn=groups,cn=accounts,dc=demo1,dc=freeipa,dc=org" in group "uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org" skipped because of "search for entry with dn=\"uid=tlastnae,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org\" would search outside of the base dn specified (dn=\"cn=users,cn=accounts,DC=DEMO1,DC=FREEIPA,DC=ORG\")"

NOTE: depending on the schema selected in the sync config file, this error could also happen with the groupsQuery basedn.

Environment

  • Red Hat Openshift Container Platform 4.X

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content