Thanks Lukas for the clarifications.
You're right, I'm interested in authenticating against AD, I don't need the
group membership attributes. It seems to be the right solution to avoid the caching of
lots of groups on the FreeIPA side.
If you have any idea how to solve this, don't hesitate.
Romain
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik
Sent: mercredi 4 mars 2015 20:58
To: dpal(a)redhat.com; End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] FreeIPA/SSSD LDAP cross-forest trust slow queries
On (04/03/15 14:29), Dmitri Pal wrote:
On 03/04/2015 01:35 PM, Aviolat Romain wrote:
>Hi there,
>
>I played again with the sssd.conf config file and I'm not 100% sure that I'm
configuring sssd correctly. I'm still trying to tell sssd to ignore the SID mapping.
>
>I'm not sure if I should create multiple domains, one for the freeIPA
>domain and one for the ad domain and put specific options into them.
>Like
>
>[domain/ad.mydomain2.net
>ldap_group_nesting_level = 0
>ignore_group_members = True
>ldap_use_tokengroups = False
>
>[domain/domain1.com]
>Options specific to the FreeIPA domain.
>
>I have also read that all the domains should be listed into the [sssd] section.
>
>I can't find info about how to configure this file for multiple domains, can
someone point me to the right direction ?
>
>Thanks for your help
>
>Romain
OK, If you use SSSD with IPA and IPA is in trust with AD then you just
join client to IdM using realmd or ipa-client-install. In this case
SSSD via configuration should know only about the domain it is joined
to - the IPA one. The AD domains and forests are discovered dynamically
and internally and do not require any configuration in the SSSD.conf
Romain already uses IPA with AD trust.
The main problem is that user in his AD are members of many groups which causes big delays
when users try to authenticate.
If I understant it correctly he is mainly interested in authentication against AD and do
not need all group membership.
It would be possible to change it with options ldap_group_nesting_level,
ignore_group_members or ldap_use_tokengroups.
But I don't know how to change configuration in AD subdomain on sssd in ipa server
mode
LS
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users