we are overriding our user's GID because our university has set everyone's primary
group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get
one GID and our service daemons get another GID?
I tried adding a second domain, with a different ldap_access_filter and different
override_gid, but i never had success. Virtually all other attributes were the same and
since my daemon user was not in my first ldap_access_filter authentication was rejected.
My current default domain is below:
[domain/default]
debug_level = 8
id_provider = ad
auth_provider = ad
access_provider = ldap
chpass_provider = ad
ad_domain =
dhe.duke.edu
ldap_search_base = DC=dhe,DC=duke,DC=edu
ldap_idmap_default_domain =
dhe.duke.edu
ldap_sasl_mech = GSSAPI
ldap_account_expire_policy = ad
ldap_access_order = filter, expire
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
ldap_force_upper_case_realm = True
ldap_access_filter =
(|(memberOf=CN=BIAC-Users,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)(memberOf=CN=BIAC-Data-Daemons,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu))
ldap_idmap_default_domain_sid = S-1-5-edited
ldap_tls_reqcert = never
case_sensitive = False
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
ldap_account_expire_policy = ad
krb5_realm =
DHE.DUKE.EDU
#these will go away with IDMU uid
ldap_idmap_range_size = 20000000
ldap_idmap_range_min = 0
ldap_idmap_range_max = 2000000000
min_id = 500
override_gid = 197250