If you’re using AD, the CN=access_server,OU=users,dc=glop,dc=com is likely the correct
name of the group access_server. Note the OU=Users.
From: Personne <cpdivers(a)gmail.com>
Sent: Sunday, May 24, 2020 8:14 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] sssd ad_access_filter with nested groups
EXTERNAL MAIL:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
Hello,
I've been using sssd for quite a while now without issue, but today I'm having
that problem
My IDP is Active Directory, I'm having a "user1" member of a
"group1", and that "group1" is member of multiple groups, on of them
is called "access_server1"
I'm trying to apply ad_access_filter with nested group, and therefore require to
recurse the groups
I have tried:
ad_access_filter = memberOf=cn=access_server1,cn=Users,dc=glop,dc=com
but it does not work because of this
https://confluence.atlassian.com/crowdkb/active-directory-user-filter-doe...
Then I tried to apply what is in this article and my LDAP filter is:
ad_access_filter = (memberOf:1.2.840.113556.1.4.1941:=cn=access_server1
,cn=Users,dc=glop,dc=com)
But it still does not work
I got this beautiful error message in the sssd log file
(Tue May 19 00:07:55 2020)
[
sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=h...]
[parse_filter] (0x0020): Keyword in filter
[(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] did not
match expected format
(Tue May 19 00:07:55 2020)
[
sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=h...]
[ad_parse_access_filter] (0x0080): Access filter
[(memberOf:1.2.840.113556.1.4.1941:=CN=access_server1,CN=Users,DC=glop,DC=com)] could not
be parsed, skipping
(Tue May 19 00:07:55 2020)
[
sssd[be[glop.com<https://nam02.safelinks.protection.outlook.com/?url=h...]
[sdap_access_send] (0x0400): Performing access check for user
[user1@glop.com<mailto:user1@glop.com>]
Thanks for your help