Users do not retain LDAP group memberships due to POSIX LDAP or incorrect membership attribute
Users can authenticate, but do not have their LDAP group memberships.
This can be caused either by misconfiguration or by requiring POSIX.
- The most likely cause for this is an incorrect membership id in the LDAP configuration. To confirm, view a user or group's record. If the group contains a membershipUId, and the corresponding value is simply a username rather than a fully qualified DN, see resolution 1.
- This problem can also be caused by an incorrect membership attribute in the directory configuration, ie the membership attribute is configured as 'username', but in the LDAP itself the membership attribute is the DN. See resolution 2.
- If the membership settings are correct, this issue may be because you are using a POSIX LDAP repository. See resolution 3.
Resolution 1 - Membership ID in LDAP
Confirm the attribute being used in the LDAP to link users to groups. If this is not the FQDN, change it so that it is.
Resolution 2 - Membership attribute in directory configuration
Check Connecting to an LDAP Directory, paying specific attention to the membership settings. Ensure that the membership attribute selected is the FQDN, and that that is also set in the LDAP itself.
Resolution 3 - POSIX directory
Confirm that you are using a POSIX directory schema. Edit the directory configuration, and set the type of LDAP connection to POSIX from the drop-down list of LDAP connection types, then resync.
See Configuring an LDAP Directory Connector for more information on POSIX, and directory types.