If you’re using AD, the CN=access_server,OU=users,dc=glop,dc=com is likely the correct name of the group access_server. Note the OU=Users.
From: Personne <cpdiv...@gmail.com> Sent: Sunday, May 24, 2020 8:14 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] sssd ad_access_filter with nested groups EXTERNAL MAIL: sssd-users-boun...@lists.fedorahosted.org<mailto:sssd-users-boun...@lists.fedorahosted.org> Hello, I've been using sssd for quite a while now without issue, but today I'm having that problem My IDP is Active Directory, I'm having a "user1" member of a "group1", and that "group1" is member of multiple groups, on of them is called "access_server1" I'm trying to apply ad_access_filter with nested group, and therefore require to recurse the groups I have tried: ad_access_filter = memberOf=cn=access_server1,cn=Users,dc=glop,dc=com but it does not work because of this https://confluence.atlassian.com/crowdkb/active-directory-user-filter-does-not-search-nested-groups-715130424.html<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fconfluence.atlassian.com%2Fcrowdkb%2Factive-directory-user-filter-does-not-search-nested-groups-715130424.html&data=02%7C01%7CJ.McCanta%40F5.com%7Cb52f81917f09492befb708d80059b17c%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637259733081794224&sdata=PcvkR8pP1jlXgLptXG%2B9ZUSNBQiSciTyXhAby1AuTno%3D&reserved=0> Then I tried to apply what is in this article and my LDAP filter is: ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=cn=access_server1 ,cn=Users,dc=glop,dc=com) But it still does not work I got this beautiful error message in the sssd log file (Tue May 19 00:07:55 2020) [sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fglop.com%2F&data=02%7C01%7CJ.McCanta%40F5.com%7Cb52f81917f09492befb708d80059b17c%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637259733081804216&sdata=R3pLmT2PhXufRT3JHSq9XDOscoNqEQ9d2Ht5kQD6CDY%3D&reserved=0>]]] [parse_filter] (0x0020): Keyword in filter [(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] did not match expected format (Tue May 19 00:07:55 2020) [sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fglop.com%2F&data=02%7C01%7CJ.McCanta%40F5.com%7Cb52f81917f09492befb708d80059b17c%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637259733081804216&sdata=R3pLmT2PhXufRT3JHSq9XDOscoNqEQ9d2Ht5kQD6CDY%3D&reserved=0>]]] [ad_parse_access_filter] (0x0080): Access filter [(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] could not be parsed, skipping (Tue May 19 00:07:55 2020) [sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fglop.com%2F&data=02%7C01%7CJ.McCanta%40F5.com%7Cb52f81917f09492befb708d80059b17c%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637259733081814213&sdata=a3XF0xMg6wU4RC0AQj%2BTmeI%2Fuv8VyjXa%2Bwu%2FoZ%2FN4QI%3D&reserved=0>]]] [sdap_access_send] (0x0400): Performing access check for user [us...@glop.com<mailto:us...@glop.com>] Thanks for your help
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org