Hello!
See comments inline.
On 05/19/2017 04:48 PM, Abhijit Tikekar wrote:
> All,
>
> We use access_provider=ad along with ad_access_filter to control
authentication based on specific group memberships. But we also have
configured several low level ldap control as shown below:
>
> #ldap_id_mapping = true
ldap_id_mapping is True by default for AD provider, so this can be
removed.
>
> #ldap_use_tokengroups = False
ldap_use_tokengroups is True by default, so if you wish to have it
false, you need to keep it in sssd.conf.
>
> #ldap_sasl_mech = GSSAPI
GSSAPI is default for AD provider so it can be removed from sssd.conf.
>
> #ldap_uri =
If ldap uri is not specified then service discovery will be used.
>
> #ldap_sudo_search_base = ou
>
> #ldap_user_search_base = dc
>
> #ldap_user_object_class = user
'user' is default so it can be removed.
>
> #ldap_group_search_base = ou=
SSSD can set default search bases automatically, for example if your
domain name is ad.test, then SSSD sets the search base to
ou=Users,dc=ad,dc=test with scope 'subtree'. Similar for other
object types like groups. This works for most cases, but if you need
something else, you need to keep the option in sssd.conf.
>
> #ldap_group_object_class = group
'group' is the default, so it can be removed.
>
> #ldap_user_home_directory = unixHomeDirectory
'unixHomeDirectory' is default so it can be removed.
>
> #ldap_user_principal = userPrincipalName
'userPrincipalName' is default, so it can be removed.
>
> #ldap_access_order = filter, expire
Here is default just 'filter'. So you need to keep this one in
sssd.conf
>
> #ldap_account_expire_policy = ad
This is default for AD provider, so you can remove it.
>
> # ldap_schema = ad
This is also default schema for AD provider so you can safely
remove it.
>
> I’ve seen several posts where it is suggested that when using
“access_provider=ad”, these ldap configurations are no longer needed. I
just want to get some clarification on this forum regarding how safe it
is to remove all the items listed above and do we run a risk of any
potential issues later?
>
> Here is a complete SSSD conf.
>
> [sssd]
>
> domains =
>
> services = nss, pam, sudo
>
> config_file_version = 2
>
> debug_level = 0
>
> [nss]
>
> [pam]
>
> [sudo]
>
> debug_level=0
>
> [domain/]
>
> debug_level=0
>
> ad_server = xxxxx
>
> id_provider = ad
>
> auth_provider = ad
>
> access_provider = ad
>
> sudo_provider = ad
>
> krb5_realm =
>
> *#ldap_id_mapping = true*
>
> *#ldap_use_tokengroups = False*
>
> *#ldap_sasl_mech = GSSAPI*
>
> *#ldap_uri = ldap://xxxxxx*
>
> *#ldap_sudo_search_base =*
>
> *#ldap_user_search_base = *
>
> *#ldap_user_object_class = *
>
> *#ldap_group_search_base =*
>
> *#ldap_group_object_class = *
>
> *#ldap_user_home_directory = *
>
> *#ldap_user_principal = *
>
> *#ldap_access_order = filter, expire*
>
> *#ldap_account_expire_policy = ad*
>
> *#ldap_schema = ad*
>
> ad_access_filter =
>
> cache_credentials = true
>
> override_homedir = /home/%d/%u
>
> default_shell = /bin/bash
>
> Thanks in advance for any inputs.
>
> ~ Abhi
>
>
>
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
>
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
