On Tue, Jun 24, 2014 at 03:28:05PM +0200, Sven Geggus wrote: > Hello, > > with nslcd I do the following to simulate user private groups without > actually creating them in the directory server: > > ... > filter group > (&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example)) > ... > > I tried porting this to sssd using the following: > > ldap_group_search_base = > DC=example,DC=com?subtree?(&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example))
Looks like the correct syntax to me. However, note that SSSD works differently than nss-pam-ldapd -- we save the entry attributes to the cache first and while saving the entry, we perform a number of checks. My guess is that the SSSD expects the group entries to have objectclass=group. Domain logs would show more.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
