Well It looks like I've answered my own question with some trial and error, I replaced the nss stuff that I had in ldap.conf with this:
ldap_group_search_base = ou=Groups,dc=some,dc=company,dc=com?sub?(|(host=\2A)(host=somehost.test.com)(host=test)) The syntax is a little different, but it works great. For anyone who is researching this, essentially this is what I am doing: I am setting my group search base to a specific OU, and then all of my groups have host attributes set, we use centralized Config management so each server has its own template version of sssd.conf pushed out, in which the host values above are populated. When groups are setup, it's either by *(All), hostname or host group. When sssd reaches out to LDAP to get group info, it only gets group info that applies to the host it is running on, we don't want other groups being assigned rights to certain files or directories and this keeps it from happening. I just felt I should explain that because I see a lot of forums out there where the OP doesn't take the time to explain. Thanks, DB >Hello, >I am migrating from pam_ldap to sssd and previously in my ldap.conf I was able >to use this to filter out groups based on the "host" attribute using the >nss_base_group >feature: >nss_base_group >ou=Groups,dc=some,dc=company,dc=com?one?|(host=\2A)(host=somehost.test.com)(host=test) >I am trying to do the same thing in SSSD and can't figure it out, I have added >everything past the first ? above to my ldap_group_search_base stanza but it >doesn't >work as expected, is it a syntax thing or is there a different way of >doing this (or am I out of luck?)? >Thanks in advance! >-DBright
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
