On Thu, Jun 05, 2014 at 04:36:10PM +0100, Max Lock wrote: > > Hi All, > > I'm querying an AD server using LDAP lookups only. I can authenticate > a user just fine but the groups configured on the AD system aren't > relevant to what we're doing. > > Looking at the the sssd-ldap man page, the ldap_group options look > like they may be used to modify the group lookups to look at user data > instead. > > In each user record we have directReports: and manager: attributes. > Could these be used so that if Alice reports to Bob she's mapped to > the Bob group etc?
First I have to say that I agree with Dmitri. It would be better to get proper groups here which are independent of the user entries. The risk with your approach is that you introduce a prototype solution here that later on has to be supported for ever. Nevertheless it might be possible. You have to redefine a couple of ldap_group_* attributes. E.g. I would suggest to set ldap_group_object_class to the name of the object class which contains the directReports attribute. The this attribute just holds user names you have to set ldap_schema to rfc2307, if it contains DNs than rfc2307bis is the right choice. If the manager attribute contains DNs then you can set ldap_user_member_of to it to speed up group membership lookups, but please do not use it if there are only names. But even if is works, please make sure you have a good idea how to migrate this to a proper solution. bye, Sumit > > -Cheers Max. > The information contained in this email, including any attachments, is > intended solely for use by the individual or entity named above and may be > confidential. If you have received this email in error please delete it and > notify the sender immediately; you should not retain the message or disclose > its contents to anyone. Thank you. hibu (UK) Limited, One Reading Central, > Forbury Road, Reading, Berkshire, RG1 3YL, registered in England No. 4205228. > hibu Sales Limited, One Reading Central, Forbury Road, Reading, Berkshire, > RG1 3YL, registered in England No. 1403041. VAT registered number: > GB765346017 © hibu (UK) Limited 2013. All rights reserved. hibu and other ™ > are trademarks of hibu (UK) Limited or its licensors. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
