It's specifically looking for entries like this:
host="*" or host=<fqdn hostname> or host=<host group>
I am using \2A (escaped asterisk) in my query, which means it will list only groups with a host value set to "*". I didn't set this up originally or I would have chosen something like the word "ALL". Nevertheless, it works.
If I were to change my query to use "host=*" then it returns all groups regardless of the other filters I set.
I'm sure I will be corrected on the above, but I'm pretty sure that's how it is working.
Thanks, DB
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Stephen Gallagher Sent: Tuesday, October 15, 2013 1:27 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] ldap_group_search_base filtering
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/15/2013 12:45 PM, Bright, Daniel wrote:
Well It looks like I’ve answered my own question with some trial and error, I replaced the nss stuff that I had in ldap.conf with this:
ldap_group_search_base = ou=Groups,dc=some,dc=company,dc=com?sub?(|(host=\2A)(host=somehost.tes t.com)(host=test))
Maybe I'm parsing this wrong, but isn't this filter saying "Any record with a host entry, or any record with one of two specific host entries?". It looks to me like (host=somehost.test.com)(host=test) is redundant.