All,

We use access_provider=ad along with ad_access_filter to control authentication based on specific group memberships. But we also have configured several low level ldap control as shown below:

#ldap_id_mapping = true

#ldap_use_tokengroups = False

#ldap_sasl_mech = GSSAPI

#ldap_uri = 

#ldap_sudo_search_base = ou

#ldap_user_search_base = dc

#ldap_user_object_class = user

#ldap_group_search_base = ou=

#ldap_group_object_class = group

#ldap_user_home_directory = unixHomeDirectory

#ldap_user_principal = userPrincipalName

#ldap_access_order = filter, expire

#ldap_account_expire_policy = ad

# ldap_schema = ad

I’ve seen several posts where it is suggested that when using “access_provider=ad”, these ldap configurations are no longer needed. I just want to get some clarification on this forum regarding how safe it is to remove all the items listed above and do we run a risk of any potential issues later?

Here is a complete SSSD conf.

[sssd]

domains = 

services = nss, pam, sudo

config_file_version = 2

debug_level = 0

[nss]

[pam]

[sudo]

debug_level=0

[domain/]

debug_level=0

ad_server = xxxxx

id_provider = ad

auth_provider = ad

access_provider = ad

sudo_provider = ad

krb5_realm = 

#ldap_id_mapping = true

#ldap_use_tokengroups = False

#ldap_sasl_mech = GSSAPI

#ldap_uri = ldap://xxxxxx

#ldap_sudo_search_base =

#ldap_user_search_base = 

#ldap_user_object_class = 

#ldap_group_search_base =

#ldap_group_object_class = 

#ldap_user_home_directory = 

#ldap_user_principal = 

#ldap_access_order = filter, expire

#ldap_account_expire_policy = ad

#ldap_schema = ad

ad_access_filter = 

cache_credentials = true

override_homedir = /home/%d/%u

default_shell = /bin/bash

Thanks in advance for any inputs.

~ Abhi