ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com (Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com] The hitch here is that our groups (in our Active Directory schema) don't have a gidNumber element, so this returns nothing. Is it possible to change the default filter so that it doesn't go looking for gidNumber=*? thanks rone -- Inanitas inanitatum et omnia inanitas <rone(a)ennui.org&gt;