[SSSD-users] Can all ldap controls be removed when using access_provider=ad

Fri, 19 May 2017 07:49:19 -0700 

All,
 
We use access_provider=ad along with ad_access_filter to control authentication 
based on specific group memberships. But we also have configured several low 
level ldap control as shown below:
 
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri = 
#ldap_sudo_search_base = ou
#ldap_user_search_base = dc
#ldap_user_object_class = user
#ldap_group_search_base = ou=
#ldap_group_object_class = group
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
# ldap_schema = ad
 
I’ve seen several posts where it is suggested that when using 
“access_provider=ad”, these ldap configurations are no longer needed. I just 
want to get some clarification on this forum regarding how safe it is to remove 
all the items listed above and do we run a risk of any potential issues later?
 
Here is a complete SSSD conf.
 
[sssd]
domains = 
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=0
[domain/]
debug_level=0
ad_server = xxxxx
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
krb5_realm = 
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri = ldap://xxxxxx
#ldap_sudo_search_base =
#ldap_user_search_base = 
#ldap_user_object_class = 
#ldap_group_search_base =
#ldap_group_object_class = 
#ldap_user_home_directory = 
#ldap_user_principal = 
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
#ldap_schema = ad
ad_access_filter = 
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
 
 
 
Thanks in advance for any inputs.
 
 
~ Abhi
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to