Hello,

I was attempting to utilise the AD provider for access control, however I cannot make it work with members of nested groups. i.e. when using the LDAP_MATCHING_RULE_IN_CHAIN.

This functions:

access_provider = ldap
ldap_sasl_authid = SERVER$@DOMAIN
ldap_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)

This doesn’t:

access_provider = ad
ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=CN=ServerGroup,OU=Groups,DC=DOMAIN)

Have I missed anything?

It would also be useful if it is possible to allow local users access alongside the remote users. e.g. allow both “domain_account” and “local_account” access. Is that possible?

Thanks
Mark

------------------------------------------------------------------------
Mark Sangster
Server Infrastructure Specialist

Information Technology Services | University of Aberdeen
t: +44 (0)1224 27-3315 | e: mailto:mark@abdn.ac.uk | u: http://www.abdn.ac.uk/it/


The University of Aberdeen is a charity registered in Scotland, No SC013683.
Tha Oilthigh Obar Dheathain na charthannas clàraichte ann an Alba, Àir. SC013683.
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org