On Thu, Jun 19, 2025 at 2:22 PM Shaun Glass via sssd-users <sssd-users@lists.fedorahosted.org> wrote:

Good Day,

I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below :

ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))

Now the precise part I am talking about is securityEquals. We were using gidNumber but since just about all Users will have the same Primary Group they will end up with the same gidNumber. The reason we want to avoid that is when a person does :

getent passwd

... they will see hundreds of user accounts and we want to avoid that.

Did you consider merely disabling enumeration (`enumerate = false` in the domain section of 'sssd.conf')?

 

The idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group :

ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))
ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))

I do not know if  securityEquals is a valid attribute for SSSD ?

Regards

--
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue