Hello!

See comments inline.

On 05/19/2017 04:48 PM, Abhijit Tikekar wrote:

All,

We use access_provider=ad along with ad_access_filter to control

authentication based on specific group memberships. But we also have configured several low level ldap control as shown below:

#ldap_id_mapping = true

ldap_id_mapping is True by default for AD provider, so this can be removed.

#ldap_use_tokengroups = False

ldap_use_tokengroups is True by default, so if you wish to have it false, you need to keep it in sssd.conf.

#ldap_sasl_mech = GSSAPI

GSSAPI is default for AD provider so it can be removed from sssd.conf.

#ldap_uri =

If ldap uri is not specified then service discovery will be used.

#ldap_sudo_search_base = ou

#ldap_user_search_base = dc

#ldap_user_object_class = user

'user' is default so it can be removed.

#ldap_group_search_base = ou=

SSSD can set default search bases automatically, for example if your domain name is ad.test, then SSSD sets the search base to ou=Users,dc=ad,dc=test with scope 'subtree'. Similar for other object types like groups. This works for most cases, but if you need something else, you need to keep the option in sssd.conf.

#ldap_group_object_class = group

'group' is the default, so it can be removed.

#ldap_user_home_directory = unixHomeDirectory

'unixHomeDirectory' is default so it can be removed.

#ldap_user_principal = userPrincipalName

'userPrincipalName' is default, so it can be removed.

#ldap_access_order = filter, expire

Here is default just 'filter'. So you need to keep this one in sssd.conf

#ldap_account_expire_policy = ad

This is default for AD provider, so you can remove it.

# ldap_schema = ad

This is also default schema for AD provider so you can safely remove it.

I’ve seen several posts where it is suggested that when using

“access_provider=ad”, these ldap configurations are no longer needed. I just want to get some clarification on this forum regarding how safe it is to remove all the items listed above and do we run a risk of any potential issues later?

Here is a complete SSSD conf.

[sssd]

domains =

services = nss, pam, sudo

config_file_version = 2

debug_level = 0

[nss]

[pam]

[sudo]

debug_level=0

[domain/]

debug_level=0

ad_server = xxxxx

id_provider = ad

auth_provider = ad

access_provider = ad

sudo_provider = ad

krb5_realm =

*#ldap_id_mapping = true*

*#ldap_use_tokengroups = False*

*#ldap_sasl_mech = GSSAPI*

*#ldap_uri = ldap://xxxxxx*

*#ldap_sudo_search_base =*

*#ldap_user_search_base = *

*#ldap_user_object_class = *

*#ldap_group_search_base =*

*#ldap_group_object_class = *

*#ldap_user_home_directory = *

*#ldap_user_principal = *

*#ldap_access_order = filter, expire*

*#ldap_account_expire_policy = ad*

*#ldap_schema = ad*

ad_access_filter =

cache_credentials = true

override_homedir = /home/%d/%u

default_shell = /bin/bash

Thanks in advance for any inputs.

~ Abhi

---

sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org