On the 2019-11-25 at 11:41 Oscar Torrente wrote:
Ok. So what you suggest is applying an ACI to all needed attributes for all users/groups nodes in LDAP directory to give this special account the read permission over them , isn't? I should obfuscate its password in sssd.conf file, though, but it makes sense. Thanks a lot!!
I'm in the same boat. Though, I was able to help myself by setting up a special "no permissions" user that has only read access to all the hidden LDAP-users. With the help of this special account and this patch ( https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg06876.html ). I was able to use the existing ldap_default_bind_dn and ldap_default_authtok property to do the user discovery.... and with this everything just worked.
Regards, Christian _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
