-----BEGIN PGP SIGNED MESSAGE-----
On 10/28/2013 05:47 PM, Chris Petty wrote:
we are overriding our user's GID because our university has set
everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could
specify our human users get one GID and our service daemons get
No, this is not currently available. You're welcome to file an
enhancement request at https://fedorahosted.org/sssd
(or if you are a
customer of a commercial distribution, you should contact your support
I tried adding a second domain, with a different
ldap_access_filter and different override_gid, but i never had
success. Virtually all other attributes were the same and since my
daemon user was not in my first ldap_access_filter authentication
You should be able to do this by splitting your two domains with a
different ldap_search_filter (not access_filter; that happens *after*
we find the user in the domain and confirm that it's there).
So you might want to do:
ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=1)
ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=0)
Obviously, replace (isHuman=0) with an LDAP search filter that
appropriately splits the domain.
The rest of the configurations should be left alone.
NOTE: This is untested advice. This will probably break initgroups()
requests for the daemon users, since the first domain will still match
all the groups and the daemon users will be filtered out.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----