Well It looks like I've answered my own question with some trial and error, I replaced
the nss stuff that I had in ldap.conf with this:
ldap_group_search_base =
ou=Groups,dc=some,dc=company,dc=com?sub?(|(host=\2A)(host=somehost.test.com)(host=test))
The syntax is a little different, but it works great. For anyone who is researching this,
essentially this is what I am doing:
I am setting my group search base to a specific OU, and then all of my groups have host
attributes set, we use centralized Config management so each server has its own template
version of sssd.conf pushed out, in which the host values above are populated. When groups
are setup, it's either by *(All), hostname or host group. When sssd reaches out to
LDAP to get group info, it only gets group info that applies to the host it is running on,
we don't want other groups being assigned rights to certain files or directories and
this keeps it from happening. I just felt I should explain that because I see a lot of
forums out there where the OP doesn't take the time to explain.
Thanks,
DB
Hello,
I am migrating from pam_ldap to sssd and previously in my ldap.conf I
was able to use this to filter out groups based on the "host" attribute using
the nss_base_group >feature:
nss_base_group
ou=Groups,dc=some,dc=company,dc=com?one?|(host=\2A)(host=somehost.test.com)(host=test)
I am trying to do the same thing in SSSD and can't figure it out,
I have added everything past the first ? above to my ldap_group_search_base stanza but it
doesn't >work as expected, is it a syntax thing or is there a different way of
doing this (or am I out of luck?)?
Thanks in advance!
-DBright