----- Original Message -----
From: "Lukas Slebodnik" lslebodn@redhat.com To: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: Wednesday, May 6, 2015 2:37:42 PM Subject: Re: [SSSD-users] please do not remove enumeration from AD provider
----- Original Message -----
From: "James Ralston" ralston@pobox.com To: "End-user discussions about the System Security Services Daemon" sssd-users@lists.fedorahosted.org Sent: Wednesday, May 6, 2015 7:28:35 PM Subject: [SSSD-users] please do not remove enumeration from AD provider
...
But the LDAP provider doesn't support ID mapping; only the AD provider does. And ID mapping is the main reason we use sssd.
ID mapping should work with LDAP provider (+ AD)
Yes, it does. "ldap_id_mapping = True".
But auto-discovery of domain SID does not work with ldap provider. So you need to configure it manually.
This statement is completely false. The domain SID is automatically detected. Setting it manually like this just means that instead of getting the automatically-determined ID range slice, it will always take slice 0.
...
But I would not recommend to use ldap+krb5 instead of ldap_defaul_bind_dn You can find some details in RHEL7 documentation[1]
I'm not sure what you were trying to say here. I think you meant to say "It's much preferred to use GSSAPI with LDAP and a kerberos keytab to secure your communication with Active Directory, the same way that the AD provider does."