On Wed, Oct 30, 2019 at 08:36:35PM -0000, Erinn Looney-Triggs wrote:
Well I attempted to get this to work and I couldn't find a way.
attempted to set up a separate domain and then modify the
re_expression, however that just modifies what gets captured into
SSSD, and there is now way I can find to make a substitution. After
sorry for the delay, I was hoping you will send examples of the plain
user and sudo related AD object.
re_expression is indeed not the right place. Depending on how the AD
objects look like and where they are stored you should modify the search
bases or enhance the search filters. The issue in the SSSD side is that
SSSD assumes that users are uniquely found only in one domain to make
the pam_sss domains option work. I currently trying ot figure out if
this behavior was added on purpose of if the assumption can be dropped
to make using SSSD in you case more easy.
Nevertheless e.g. assuming that the plain AD users are stored in the
cn=users,dc=domain OU and the sudo objects in cn=sudo,dc=domain you can
just set the search bases accordingly for each domain
If the sudo objects are stored in a sub-OU of cn=users,dc=domain you
have to change the search scope for cn=users,dc=domain as well so that
the other objects are not found, e.g.
ldap_search_base = cn=users,dc=domain?one
If the objects only differ in some attributes you can add a filter to
the search base as well, e.g.:
ldap_search_base = cn=users,dc=domain?subtree?(userPrincipalName=sudo*)
I hope this gives you some idea how to configure the two domains. But
feel free to share a sanitized layout of the two object kinds so that I
can help to find a suitable configuration.
looking around for other options (short of modifying the code)
left with packaging pam_krb5 ourselves for RHEL 8 in order to
distribute it to our internal systems. I'm certainly open to other
ideas, but I can't see how to modify the username in a non static way.
I've opened a couple of bug reports, one against sssd itseld, one against RHEL 8:
It'll be a matter of peoples opinion as to whether to fix these, I realize my
employer is in a minority by using sudo in this manner.
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines