----- Original Message -----
From: "Lukas Slebodnik" <lslebodn(a)redhat.com>
To: "End-user discussions about the System Security Services Daemon"
<sssd-users(a)lists.fedorahosted.org>
Sent: Wednesday, May 6, 2015 2:37:42 PM
Subject: Re: [SSSD-users] please do not remove enumeration from AD provider
----- Original Message -----
> From: "James Ralston" <ralston(a)pobox.com>
> To: "End-user discussions about the System Security Services Daemon"
> <sssd-users(a)lists.fedorahosted.org>
> Sent: Wednesday, May 6, 2015 7:28:35 PM
> Subject: [SSSD-users] please do not remove enumeration from AD provider
>
...
> But the LDAP provider doesn't support ID mapping; only the
AD provider
> does. And ID mapping is the main reason we use sssd.
>
ID mapping should work with LDAP provider (+ AD)
Yes, it does. "ldap_id_mapping = True".
But auto-discovery of domain SID does not work with ldap provider.
So you need to configure it manually.
This statement is completely false. The domain SID is automatically detected. Setting it
manually like this just means that instead of getting the automatically-determined ID
range slice, it will always take slice 0.
...
But I would not recommend to use ldap+krb5 instead of
ldap_defaul_bind_dn
You can find some details in RHEL7 documentation[1]
I'm not sure what you were trying to say here. I think you meant to say "It's
much preferred to use GSSAPI with LDAP and a kerberos keytab to secure your communication
with Active Directory, the same way that the AD provider does."