Hi guys,
> On Thu, 2011-11-03 at 09:51 +0100, Jakub Hrozek wrote:
> > On Thu, Nov 03, 2011 at 04:08:51PM +1000, GOLLSCHEWSKY, Tim wrote: >
> > Are these options used anywhere? > > ldap_group_search_scope
> > > ldap_group_search_filter >
> >
> > As Jan noted, these options will be deprecated in 1.7 and onwards. But
> > even in the current releases, they only limit the initial user/group
> > lookup (getent passwd/group), not group membership during initgroups.
> >
>
> I'd like to point out that
https://fedorahosted.org/sssd/ticket/960 will also
probably handle this for you. As an > add-on to
>
https://fedorahosted.org/sssd/ticket/868 (which handles multiple search bases with
individual lookup filters), we > will be able to properly filter out users and groups
that don't match the search base and filter.
>
> So I think that in 1.7.0, your issue will be solved by doing:
>
> ldap_group_search_base =
> dc=example,dc=com?subtree?(|(cn=group1)(cn=group2)(cn=group3))
>
> And the result will be that you will only see groups that match the aforementioned
filter,
> even for nested groups with DN lookups.
Can I please confirm that this functionality did indeed get added to sssd 1.7.0?
I should be able to do this now (if I can get 1.7.0 working. :)
Yes, the functionality is in. See the documentation on ldap_search_base
in man sssd-ldap.