On Sun, Oct 23, 2016 at 08:34:45PM -0000, squallu(a)gmail.com wrote:
i'm trying to configure sssd with ad provider to work with ldap_id_mapping = False,
everything is working fine except additional group aside from the primary
(msSFU30PosixMemberOf), is it even possible without switching to id_provider=ldap?
Adding ldap_user_member_of = msSFU30PosixMemberOf to /etc/sssd/sssd.conf changes nothing,
switching to id_provider = ldap works and gives me back all the unix groups configured on
The memberof attribute is not really used much, instead, the AD provider
reads the group membership from the tokenGroups attribute and if those
are disabled (which you probably want to do with msSFU attributes which
are IIRC not synced with Windows group memberships..), then we fall back
to using just "member".
tl;dr, try with disabled tokengroups and map all the msSFU attributes
that you use, not just memberof..