You can use a real LDAP store (like 389 Server aka RHDS), while still using MS-Kerberos for your authentication. The real LDAP just becomes your attribute store, while AD continues to provides your KDC.
You'll need to change your mode for the SSSD domain from AD to the individual options for authentication (krb5), directory (ldap), including all of the schema/object differences that have to be manually entered in the SSSD domain block (as they will differ from 389 or OpenLDAP), etc... But it'll work, as long as you're using the real LDAP for your tree in the SSSD domain (and legacy ldap.conf). You won't get all the AD features and LDAP won't be GSSAPI integrated with MS-Kerberos. But you'll get your Kerberos tickets for users, you can still get Keytabs cut from AD, all while your existing attributes will come over with thr sane UID, GID, etc... -- Sent from my Moto G7 Power, apologies for any brevity as well as the satanic versus of autocorrect Bryan J Smith - http://linkedin.com/in/bjsmith On Tue, Aug 4, 2020, 01:16 Sumit Bose <[email protected]> wrote: > On Mon, Jul 13, 2020 at 11:19:42AM -0000, Vjay wrote: > > Hi Friends, > > > > As a security requirement, we have to migrate LDAP servers from one > active directory domain to other active directory domain. Old active > directory LDAP servers are providing unix attributes for linux > servers(centos 7) while new active directory LDAP servers don't so we have > to migrate unix attribute management to sssd, which will change userid and > groupid of all users. > > Does SSSD provide feature to keep / store userid and groupid from old > domain of users so we don't have change file ownership on linux server side > for the files owned by active directory users? > > Hi, > > while SSSD allows to define local overrides, see man sss_override for > details, I would not recommend to use it in your case. > > Afaik you can just migrate the unix attribute to the new AD DC. Although > the unix attributes cannot be manage anymore in the 'Unix Attributes' > tab of AD's 'Users and Computers' utility the underlying LDAP schema > still supports those attributes. You can still edit the attributes with > the 'Attribute Editor' tab which is available if you switch one > 'Advanced Features' in the 'View' menu. > > HTH > > bye, > Sumit > > > > > Regards, > > Vjay > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
