On 04/03/2015 04:54 PM, rone wrote:
Lukas Slebodnik writes:
> On (03/04/15 10:58), rone wrote:
> >From sssd.conf:
>> ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
>>
> >From sssd_LDAP.log:
>> (Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400):
calling ldap_search_ext with
[(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
>>
>> The hitch here is that our groups (in our Active Directory schema)
>> don't have a gidNumber element, so this returns nothing. Is it
>> possible to change the default filter so that it doesn't go looking
>> for gidNumber=*?
>>
> You can use ID mapping with Active Directory, which trnaslate SID to unix IDs.
>
> It is by default enabled with id_provider ad.
>
>
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#SSSDsetup
id_provider ad won't work because we aren't using Kerberos (these are
OpenStack hosts that have not joined the AD realm).
rone
May be we should step back and discuss your environment.
What do you have and what are you trying to accomplish?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.