On (03/04/15 10:58), rone wrote:
From sssd.conf:
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
From sssd_LDAP.log:
(Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling
ldap_search_ext with
[(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
The hitch here is that our groups (in our Active Directory schema)
don't have a gidNumber element, so this returns nothing. Is it
possible to change the default filter so that it doesn't go looking
for gidNumber=*?
You can use ID mapping with Active Directory, which trnaslate SID to unix IDs.
It is by default enabled with id_provider ad.
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#SSSDsetup
LS