Hello all. I have to interface with AD via ldap backend (can not join: it makes large redeploys quite problematic, having to give my own pass on every machine). Out of the many domains in the AD forest, I'm only interested in PERSONALE and STUDENTI. I can only manage OUs, groups and machine accounts in PERSONALE. My users come from both domains, but I'm only interested in memberships of groups in PERSONALE (those are 'universal' groups that contain users from both domains).
I currently use this sssd.conf file: -8<-- [sssd] config_file_version = 2 services = nss,pam domains = studenti.domain.it,personale.domain.it debug_level = 3 override_space = ^ [nss] fallback_homedir = */home/*%d/%u default_shell = /bin/bash debug_level = 3 [pam] debug_level = 3 [domain/personale.domain.it] override_homedir = */home/PERSONALE/*%u id_provider = ldap auth_provider = ldap access_provider = ldap ldap_group_nesting_level = 5 ldap_uri = ldaps://personale.dir.unibo.it:3269 ldap_user_search_base = DC=personale,DC=domain,DC=it?? ldap_group_search_base = OU=REDACTED,DC=personale,DC=domain,DC=it?? ldap_default_bind_dn = CN=REDACTED,DC=personale,DC=domain,DC=it ldap_default_authtok_type = password ldap_default_authtok = REDACTED ldap_user_object_class = person ldap_group_object_class = group ldap_user_fullname = displayName ldap_schema = ad ldap_referrals = False #ldap_referrals = true ldap_id_mapping = True enumerate = false # Caching settings cache_credentials = true entry_cache_user_timeout = 28800 entry_cache_group_timeout = 86400 ldap_id_use_start_tls = false debug_level = 3 ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=REDACTED,DC=personale,DC=domain,DC=it) case_sensitive = Preserving [domain/studenti.domain.it] override_homedir = */home/STUDENTI/*%u id_provider = ldap auth_provider = ldap access_provider = ldap ldap_group_nesting_level = 5 # **MUST** use GlobalCatalog port or can't access a group in PERSONALE ldap_uri = ldaps://studenti.domain.it:3269 ldap_user_search_base = DC=studenti,DC=domain,DC=it # *NOPE*: see notes #ldap_group_search_base = OU=REDACED,DC=personale,DC=domain,DC=it?? ldap_default_bind_dn = CN=REDACTED,DC=personale,DC=domain,DC=it ldap_default_authtok_type = password ldap_default_authtok = REDACTED ldap_user_object_class = person ldap_group_object_class = group ldap_user_fullname = displayName ldap_schema = ad ldap_referrals = true ldap_id_mapping = True enumerate = false cache_credentials = true ldap_id_use_start_tls = false debug_level = 3 ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=REDACTED,DC=domain,DC=it) case_sensitive = Preserving -8<-- * Order for "domains" is important: if I first lookup in PERSONALE, students are also assigned to PERSONALE. * If I don't include STUDENTI domain in ldap_user_search_base for PERSONALE, "getent group" won't return group members from STUDENTI. * If I specify "ldap_group_search_base" for STUDENTI, "getent group grpname" only returns group members that are in STUDENTI. But while 'getent group grpname' returns all users (from both domains), 'id username' only returns groups from username's domain. Is there a way to make sssd only consider groups in PERSONALE also for users in STUDENTI and return consistent results for both id and getent? Tks.
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue