----- Original Message ----- > From: "Lukas Slebodnik" <lsleb...@redhat.com> > To: "End-user discussions about the System Security Services Daemon" > <sssd-users@lists.fedorahosted.org> > Sent: Wednesday, May 6, 2015 2:37:42 PM > Subject: Re: [SSSD-users] please do not remove enumeration from AD provider > > ----- Original Message ----- > > From: "James Ralston" <rals...@pobox.com> > > To: "End-user discussions about the System Security Services Daemon" > > <sssd-users@lists.fedorahosted.org> > > Sent: Wednesday, May 6, 2015 7:28:35 PM > > Subject: [SSSD-users] please do not remove enumeration from AD provider > > ... > > But the LDAP provider doesn't support ID mapping; only the AD provider > > does. And ID mapping is the main reason we use sssd. > > > ID mapping should work with LDAP provider (+ AD)
Yes, it does. "ldap_id_mapping = True". > But auto-discovery of domain SID does not work with ldap provider. > So you need to configure it manually. > This statement is completely false. The domain SID is automatically detected. Setting it manually like this just means that instead of getting the automatically-determined ID range slice, it will always take slice 0. ... > But I would not recommend to use ldap+krb5 instead of ldap_defaul_bind_dn > You can find some details in RHEL7 documentation[1] > I'm not sure what you were trying to say here. I think you meant to say "It's much preferred to use GSSAPI with LDAP and a kerberos keytab to secure your communication with Active Directory, the same way that the AD provider does." _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users