we are overriding our user's GID because our university has set everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get one GID and our service daemons get another GID?
I tried adding a second domain, with a different ldap_access_filter and different override_gid, but i never had success. Virtually all other attributes were the same and since my daemon user was not in my first ldap_access_filter authentication was rejected.
My current default domain is below:
[domain/default] debug_level = 8 id_provider = ad auth_provider = ad access_provider = ldap chpass_provider = ad ad_domain = dhe.duke.edu ldap_search_base = DC=dhe,DC=duke,DC=edu ldap_idmap_default_domain = dhe.duke.edu ldap_sasl_mech = GSSAPI ldap_account_expire_policy = ad ldap_access_order = filter, expire ldap_schema = ad ldap_referrals = False ldap_id_mapping = True ldap_force_upper_case_realm = True ldap_access_filter = (|(memberOf=CN=BIAC-Users,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)(memberOf=CN=BIAC-Data-Daemons,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)) ldap_idmap_default_domain_sid = S-1-5-edited ldap_tls_reqcert = never case_sensitive = False krb5_lifetime = 10h krb5_renewable_lifetime = 7d ldap_account_expire_policy = ad krb5_realm = DHE.DUKE.EDU #these will go away with IDMU uid ldap_idmap_range_size = 20000000 ldap_idmap_range_min = 0 ldap_idmap_range_max = 2000000000 min_id = 500 override_gid = 197250
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/28/2013 05:47 PM, Chris Petty wrote:
we are overriding our user's GID because our university has set everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get one GID and our service daemons get another GID?
No, this is not currently available. You're welcome to file an enhancement request at https://fedorahosted.org/sssd (or if you are a customer of a commercial distribution, you should contact your support representative).
I tried adding a second domain, with a different ldap_access_filter and different override_gid, but i never had success. Virtually all other attributes were the same and since my daemon user was not in my first ldap_access_filter authentication was rejected.
You should be able to do this by splitting your two domains with a different ldap_search_filter (not access_filter; that happens *after* we find the user in the domain and confirm that it's there).
So you might want to do:
[domain/humans] ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=1)
[domain/daemons] ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=0)
Obviously, replace (isHuman=0) with an LDAP search filter that appropriately splits the domain.
The rest of the configurations should be left alone.
NOTE: This is untested advice. This will probably break initgroups() requests for the daemon users, since the first domain will still match all the groups and the daemon users will be filtered out.
sssd-users@lists.fedorahosted.org