hi, i'm trying to configure sssd with ad provider to work with ldap_id_mapping = False, everything is working fine except additional group aside from the primary (msSFU30PosixMemberOf), is it even possible without switching to id_provider=ldap?
Adding ldap_user_member_of = msSFU30PosixMemberOf to /etc/sssd/sssd.conf changes nothing, switching to id_provider = ldap works and gives me back all the unix groups configured on AD.
Thank you.
On Sun, Oct 23, 2016 at 08:34:45PM -0000, squallu@gmail.com wrote:
hi, i'm trying to configure sssd with ad provider to work with ldap_id_mapping = False, everything is working fine except additional group aside from the primary (msSFU30PosixMemberOf), is it even possible without switching to id_provider=ldap?
Adding ldap_user_member_of = msSFU30PosixMemberOf to /etc/sssd/sssd.conf changes nothing, switching to id_provider = ldap works and gives me back all the unix groups configured on AD.
The memberof attribute is not really used much, instead, the AD provider reads the group membership from the tokenGroups attribute and if those are disabled (which you probably want to do with msSFU attributes which are IIRC not synced with Windows group memberships..), then we fall back to using just "member".
tl;dr, try with disabled tokengroups and map all the msSFU attributes that you use, not just memberof..
Thank you very much, setting tokengroups to false solved all my problems, these are the configuration line added which solved my problems.
ldap_use_tokengroups=false ldap_user_name = sAMAccountName ldap_user_home_directory = unixHomeDirectory ldap_user_member_of=msSFU30PosixMemberOf ldap_group_member=msSFU30PosixMember ldap_group_gid_number=gidNumber ldap_user_uid_number=uidNumber
Thank you again!
sssd-users@lists.fedorahosted.org