All,
We use access_provider=ad along with ad_access_filter to control authentication based on
specific group memberships. But we also have configured several low level ldap control as
shown below:
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri =
#ldap_sudo_search_base = ou
#ldap_user_search_base = dc
#ldap_user_object_class = user
#ldap_group_search_base = ou=
#ldap_group_object_class = group
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
# ldap_schema = ad
I’ve seen several posts where it is suggested that when using “access_provider=ad”, these
ldap configurations are no longer needed. I just want to get some clarification on this
forum regarding how safe it is to remove all the items listed above and do we run a risk
of any potential issues later?
Here is a complete SSSD conf.
[sssd]
domains =
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=0
[domain/]
debug_level=0
ad_server = xxxxx
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
krb5_realm =
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri = ldap://xxxxxx
#ldap_sudo_search_base =
#ldap_user_search_base =
#ldap_user_object_class =
#ldap_group_search_base =
#ldap_group_object_class =
#ldap_user_home_directory =
#ldap_user_principal =
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
#ldap_schema = ad
ad_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
Thanks in advance for any inputs.
~ Abhi