Hi Everyone,
I’m working on a system that authenticates users through both Active Directory (AD) and LDAP, and I’m looking for suggestions to improve the current setup.
Current Setup: - AD is used solely for authentication. - LDAP manages local users (e.g., temporary users) and assigns additional groups to both AD and LDAP users. These groups control access to shared folders for teammates.
The Challenge: - I need to append groups from LDAP to users authenticated through AD. - To achieve this, I’ve created "no-login" accounts in LDAP for each AD user, mapping their UID/GID to match. - However, I haven’t found a way to fully rely on SSSD for this task.
Current Workaround: - I’m using nslcd alongside SSSD and forcing nsswitch.conf to prioritize LDAP group lookups before SSSD and local files. My current nsswitch.conf looks like this:
passwd: sss files group: ldap sss files systemd netgroup: ldap sss files automount: ldap sss files services: ldap sss files
SSSD Configuration: Here’s my current sssd.conf setup: [sssd] services = nss, pam config_file_version = 2 domains = ad.domain, ldap.domain # Prevent user login with fully_qualified_name re_expression = (?P<name>^[^@]+$) debug_level = 9
[domain/ad.domain] ad_server = adserver.example.com ad_domain = ad.example.com auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = allow_login_group realmd_tags = manages-system joined-with-adcli krb5_realm = AD.EXAMPLE.COM krb5_store_password_if_offline = True
# To generate private groups for each user auto_private_groups = True ignore_group_members = True use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u cache_credentials = True
[domain/ldap.domain] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldapserver ldap_search_base = dc=example,dc=com cache_credentials = True ldap_tls_cacert = /path/to/ca.pem ldap_tls_cert = /path/to/ldap.pem ldap_tls_key = /path/to/ldap.key ldap_tls_reqcert = demand default_shell = /bin/bash fallback_homedir = /home/%u
What I’m Looking For: Is there a better way to append LDAP groups to AD-authenticated users so that I can eliminate nslcd entirely and rely solely on SSSD? Any advice or suggestions on how to achieve this would be greatly appreciated!
Thank you in advance for your help!
On Wed, May 14, 2025 at 5:53 AM Dom Chien via sssd-users sssd-users@lists.fedorahosted.org wrote:
Hi Everyone,
I’m working on a system that authenticates users through both Active Directory (AD) and LDAP, and I’m looking for suggestions to improve the current setup.
Current Setup:
- AD is used solely for authentication.
- LDAP manages local users (e.g., temporary users) and assigns additional groups to both AD and LDAP users. These groups control access to shared folders for teammates.
The Challenge:
- I need to append groups from LDAP to users authenticated through AD.
- To achieve this, I’ve created "no-login" accounts in LDAP for each AD user, mapping their UID/GID to match.
- However, I haven’t found a way to fully rely on SSSD for this task.
Current Workaround:
- I’m using nslcd alongside SSSD and forcing nsswitch.conf to prioritize LDAP group lookups before SSSD and local files. My current nsswitch.conf looks like this:
passwd: sss files group: ldap sss files systemd netgroup: ldap sss files automount: ldap sss files services: ldap sss files
SSSD Configuration: Here’s my current sssd.conf setup: [sssd] services = nss, pam config_file_version = 2 domains = ad.domain, ldap.domain # Prevent user login with fully_qualified_name re_expression = (?P<name>^[^@]+$) debug_level = 9
[domain/ad.domain] ad_server = adserver.example.com ad_domain = ad.example.com auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = allow_login_group realmd_tags = manages-system joined-with-adcli krb5_realm = AD.EXAMPLE.COM krb5_store_password_if_offline = True
# To generate private groups for each user auto_private_groups = True ignore_group_members = True use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u cache_credentials = True
[domain/ldap.domain] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldapserver ldap_search_base = dc=example,dc=com cache_credentials = True ldap_tls_cacert = /path/to/ca.pem ldap_tls_cert = /path/to/ldap.pem ldap_tls_key = /path/to/ldap.key ldap_tls_reqcert = demand default_shell = /bin/bash fallback_homedir = /home/%u
What I’m Looking For: Is there a better way to append LDAP groups to AD-authenticated users
Not sure if you re willing to consider replacement of LDAP with FreeIPA, but sounds like a FreeIPA feature: `ipa group-add-member ... --external={}`
so that I can eliminate nslcd entirely and rely solely on SSSD? Any advice or suggestions on how to achieve this would be greatly appreciated!
Thank you in advance for your help!
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Dom Chien