Good Day,
I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))*
Now the precise part I am talking about is *securityEquals*. We were using *gidNumber* but since just about all Users will have the same Primary Group they will end up with the same *gidNumber*. The reason we want to avoid that is when a person does :
*getent passwd*
... they will see hundreds of user accounts and we want to avoid that. The idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))*
I do not know if *securityEquals* is a valid attribute for SSSD ?
Regards
Am Thu, Jun 19, 2025 at 02:20:14PM +0200 schrieb Shaun Glass via sssd-users:
Good Day,
I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))*
Now the precise part I am talking about is *securityEquals*. We were using *gidNumber* but since just about all Users will have the same Primary Group they will end up with the same *gidNumber*. The reason we want to avoid that is when a person does :
*getent passwd*
... they will see hundreds of user accounts and we want to avoid that. The
Hi,
`getent passwd` will only show all users if enumeration is enabled. If you do not set `enumerate = True` in the [domain/...] section of sssd.conf `getent passwd` will only show the users from /etc/passwd and no LDAP users.
HTH
bye, Sumit
idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))*
I do not know if *securityEquals* is a valid attribute for SSSD ?
Regards
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On Thu, Jun 19, 2025 at 2:22 PM Shaun Glass via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
Good Day,
I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))*
Now the precise part I am talking about is *securityEquals*. We were using *gidNumber* but since just about all Users will have the same Primary Group they will end up with the same *gidNumber*. The reason we want to avoid that is when a person does :
*getent passwd*
... they will see hundreds of user accounts and we want to avoid that.
Did you consider merely disabling enumeration (`enumerate = false` in the domain section of 'sssd.conf')?
The idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))*
I do not know if *securityEquals* is a valid attribute for SSSD ?
Regards
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Thanks ... no I did not check for that. Will try it.
Regards
On Thu, Jun 19, 2025 at 4:04 PM Alexey Tikhonov atikhono@redhat.com wrote:
On Thu, Jun 19, 2025 at 2:22 PM Shaun Glass via sssd-users < sssd-users@lists.fedorahosted.org> wrote:
Good Day,
I am busy setting up testing and authentication Linux Servers against eDirectory (LDAP) using SSSD with Linux Enabled (LUM) Users and Groups. I am having issues with the below :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))*
Now the precise part I am talking about is *securityEquals*. We were using *gidNumber* but since just about all Users will have the same Primary Group they will end up with the same *gidNumber*. The reason we want to avoid that is when a person does :
*getent passwd*
... they will see hundreds of user accounts and we want to avoid that.
Did you consider merely disabling enumeration (`enumerate = false` in the domain section of 'sssd.conf')?
The idea is that we want it to match the Users in a particular Group without that Group being the Users Primary Group :
*ldap_user_search_base = o=LDAP?subtree?(&(objectclass=posixAccount)(|(securityEquals=cn=SERVER,ou=Groups,ou=Linux,ou=IAM,o=LDAP)))ldap_group_search_base = o=LDAP?subtree?(&(objectclass=posixGroup)(|(cn=SERVER)))*
I do not know if *securityEquals* is a valid attribute for SSSD ?
Regards
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Shaun Glass -
Sumit Bose