[SSSD-users] Re: No netgroup_provider?

On (18/02/19 10:53), Spike White wrote: >All, > >Spoiler alert: my configuration is working; I just want verification I >did it right. > >BACKGROUND: > >I have an LDAP domain that was delivering autofs maps exclusively. Other >(AD) domains were delivering users, groups, authentication and access. > >Since this back-end LDAP domain didn’t participate in any user >authentication or access, I configured that backup LDAP domain in sssd.conf >with only an autofs_provder: > >[domain/LDAP] > >debug_level = 9 > >id_provider = none > >autofs_provider = ldap > >ldap_uri= ldap://austgcore17.example.com > >ldap_schema = rfc2307bis > >ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local > >ldap_default_authtok = ldppassword > >ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local > >ldap_autofs_map_object_class = automountMap > >ldap_autofs_map_name = automountMapName > >ldap_autofs_entry_object_class = automount > >ldap_autofs_entry_key = automountKey > >ldap_autofs_entry_value = automountInformation > >ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local > > > >Works great! Get all expected automount maps. > >CURRENT (ADDED NETGROUPS): > >Now I have added NIS netgroups to this backend LDAP server. Thus, it now >successfully delivers automount maps + netgroups. > >I still don’t want this LDAP backend domain to even attempt authentication >and access – that’s in my other (AD) domains. > >So you’d think all I’d have to do is change this: > >[domain/LDAP] > >… > >id_provider = none > >autofs_provider = ldap > > > >to this: > >[domain/LDAP] > >… > >id_provider = none > >autofs_provider = ldap > >netgroup_provider = ldap > > > >But – point in fact – there is no “netgroup_provider” setting for sssd.conf >file. Netgroup takes whatever the value is of ‘id_provider’. > > > >So I turned on id_provider, then explicitly turned off all providers I >don’t want. Is this correct? > > > >[domain/LDAP] > >debug_level = 9 > >#id_provider = none > >id_provider = ldap > >auth_provider = none > >account_provider = none > >chpass_provider = none > >sudo_provider = none > >subdomains_provider = none > >autofs_provider = ldap > > > >Also, any particular reason there’s not a netgroup_provider? > Because netgroups are part of id_provider The same as users, groups and service. (There is neither user_provider nor group_provider ...) If you want to provide just netgroups then you might set sssd options ldap_user_search_base and ldap_group_search_base( ldap_service_search_base) to the part of LDAP tree which does not contain any users/groups. >BTW, retrieving netgroups via sssd does not seem explicitly and concretely >documented. That is, I had to consult multiple sources to get the RFC >2307bis setup, another to get the sssd.conf settings. (I’m not faulting >anyone; netgroups are rarely used anymore.) > > Netgroups are retrieved by default if you have standard nisSchema[0] in your LDAP server. [domain/$DOMAIN] ldap_search_base = $BASE_DN id_provider = ldap ldap_uri = ldap://$SERVER ldap_tls_cacert = /etc/openldap/certs/cacert.asc LS [1] https://docs.oracle.com/cd/E36784_01/html/E38254/appendixa-3.html _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...