From sssd.conf:
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
From sssd_LDAP.log:
(Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
The hitch here is that our groups (in our Active Directory schema) don't have a gidNumber element, so this returns nothing. Is it possible to change the default filter so that it doesn't go looking for gidNumber=*?
thanks rone
On (03/04/15 10:58), rone wrote:
From sssd.conf:
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
From sssd_LDAP.log:
(Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
The hitch here is that our groups (in our Active Directory schema) don't have a gidNumber element, so this returns nothing. Is it possible to change the default filter so that it doesn't go looking for gidNumber=*?
You can use ID mapping with Active Directory, which trnaslate SID to unix IDs.
It is by default enabled with id_provider ad.
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#SSSDsetup
LS
Lukas Slebodnik writes:
On (03/04/15 10:58), rone wrote:
From sssd.conf:
ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
From sssd_LDAP.log:
(Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
The hitch here is that our groups (in our Active Directory schema) don't have a gidNumber element, so this returns nothing. Is it possible to change the default filter so that it doesn't go looking for gidNumber=*?
You can use ID mapping with Active Directory, which trnaslate SID to unix IDs.
It is by default enabled with id_provider ad.
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#SSSDsetup
id_provider ad won't work because we aren't using Kerberos (these are OpenStack hosts that have not joined the AD realm).
rone
On 04/03/2015 04:54 PM, rone wrote:
Lukas Slebodnik writes:
On (03/04/15 10:58), rone wrote:
From sssd.conf: ldap_group_search_base = ou=Accounts_Group,dc=corp,dc=example,dc=com
From sssd_LDAP.log: (Thu Apr 2 17:32:32 2015) [sssd[be[LDAP]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(&(cn=admin)(objectclass=group)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))(gidNumber=*))][ou=Accounts_Group,dc=corp,dc=example,dc=com]
The hitch here is that our groups (in our Active Directory schema) don't have a gidNumber element, so this returns nothing. Is it possible to change the default filter so that it doesn't go looking for gidNumber=*?
You can use ID mapping with Active Directory, which trnaslate SID to unix IDs.
It is by default enabled with id_provider ad.
https://fedorahosted.org/sssd/wiki/Configuring_sssd_with_ad_server#SSSDsetup
id_provider ad won't work because we aren't using Kerberos (these are OpenStack hosts that have not joined the AD realm).
rone
May be we should step back and discuss your environment. What do you have and what are you trying to accomplish?
Dmitri Pal writes:
May be we should step back and discuss your environment. What do you have and what are you trying to accomplish?
Right now, these OpenStack hosts have sssd configured to allow login via PAM/LDAP against their AD credentials for individual users (as per /etc/security/access.conf). The goal is to allow login to AD groups, where groups are AD distribution lists.
thanks rone
On 04/04/2015 04:13 PM, rone wrote:
Dmitri Pal writes:
May be we should step back and discuss your environment. What do you have and what are you trying to accomplish?
Right now, these OpenStack hosts have sssd configured to allow login via PAM/LDAP against their AD credentials for individual users (as per /etc/security/access.conf). The goal is to allow login to AD groups, where groups are AD distribution lists.
thanks rone
But you do not have POSIX in AD at least for groups. And you do not want to join systems into AD. So in this case AFAIU you have to use the LDAP provider and treat AD as generic LDAP server but add some specific AD related setting on top. Can you share your sssd. conf that you currently have? Please clean it up from sensitive data like domain and host names before sending to the list.
On (04/04/15 16:32), Dmitri Pal wrote:
On 04/04/2015 04:13 PM, rone wrote:
Dmitri Pal writes:
May be we should step back and discuss your environment. What do you have and what are you trying to accomplish?
Right now, these OpenStack hosts have sssd configured to allow login via PAM/LDAP against their AD credentials for individual users (as per /etc/security/access.conf). The goal is to allow login to AD groups, where groups are AD distribution lists.
thanks rone
But you do not have POSIX in AD at least for groups. And you do not want to join systems into AD. So in this case AFAIU you have to use the LDAP provider and treat AD as generic LDAP server but add some specific AD related setting on top. Can you share your sssd. conf that you currently have? Please clean it up from sensitive data like domain and host names before sending to the list.
We do not have described such configuration on one page. You can inspire in next configurations desctibed in documentation [1,2]
The first link[1] describe differences between ID mapping and using POSIX attributes. It also explain how ID maaping works in sssd. At the end of section, there is the simplest configuration for ID mapping with sssd: ldap_id_mapping = True ldap_schema = ad
Although the 2nd link[2] says "Configuring Active Directory as an LDAP Domain" there is still some krb5 related part of configuration. It should work if you replace value of options from krb5 -> ldap.
Please beaware of fact that 2nd configuration us ldap_schema rfc2307bis, which requires POSIX attributes in Active Directory. So you should replace it with configuration snippet for ID mapping.
LS
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm... [2] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Lukas Slebodnik -
rone