All,

Spoiler alert:  my configuration is working;  I just want verification I did it right. 

BACKGROUND:

I have an LDAP domain that was delivering autofs maps exclusively.  Other (AD) domains were delivering users, groups, authentication and access. 

Since this back-end LDAP domain didn’t participate in any user authentication or access, I configured that backup LDAP domain in sssd.conf with only an autofs_provder:

[domain/LDAP]

debug_level = 9

id_provider = none

autofs_provider = ldap

ldap_uri= ldap://austgcore17.example.com

ldap_schema = rfc2307bis

ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local

ldap_default_authtok = ldppassword

ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local

ldap_autofs_map_object_class = automountMap

ldap_autofs_map_name = automountMapName

ldap_autofs_entry_object_class = automount

ldap_autofs_entry_key = automountKey

ldap_autofs_entry_value = automountInformation

ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local

 

Works great!  Get all expected automount maps.

CURRENT (ADDED NETGROUPS):

Now I have added NIS netgroups to this backend LDAP server.  Thus, it now successfully delivers automount maps + netgroups. 

I still don’t want this LDAP backend domain to even attempt authentication and access – that’s in my other (AD) domains.

So you’d think all I’d have to do is change this:

[domain/LDAP]

…

id_provider = none

autofs_provider = ldap

 

to this:

[domain/LDAP]

…

id_provider = none

autofs_provider = ldap

netgroup_provider = ldap

 

But – point in fact – there is no “netgroup_provider” setting for sssd.conf file.  Netgroup takes whatever the value is of ‘id_provider’.

 

So I turned on id_provider, then explicitly turned off all providers I don’t want.  Is this correct?

 

[domain/LDAP]

debug_level = 9

#id_provider = none

id_provider = ldap

auth_provider = none

account_provider = none

chpass_provider = none

sudo_provider = none

subdomains_provider = none

autofs_provider = ldap

 

Also, any particular reason there’s not a netgroup_provider?

 

BTW, retrieving netgroups via sssd does not seem explicitly and concretely documented.  That is, I had to consult multiple sources to get the RFC 2307bis setup, another to get  the sssd.conf settings.   (I’m not faulting anyone; netgroups are rarely used anymore.)

 

 Is there someone that maintains sssd documentation, I could submit a concrete example – to help any future intrepid explorer?  I have the specific back-end LDIF files,  the specific sssd.conf and nsswitch.conf file setup. 

 

Spike White