On Wed, Oct 30, 2019 at 08:36:35PM -0000, Erinn Looney-Triggs wrote: > Well I attempted to get this to work and I couldn't find a way. I > attempted to set up a separate domain and then modify the > re_expression, however that just modifies what gets captured into > SSSD, and there is now way I can find to make a substitution. After
Hi, sorry for the delay, I was hoping you will send examples of the plain user and sudo related AD object. re_expression is indeed not the right place. Depending on how the AD objects look like and where they are stored you should modify the search bases or enhance the search filters. The issue in the SSSD side is that SSSD assumes that users are uniquely found only in one domain to make the pam_sss domains option work. I currently trying ot figure out if this behavior was added on purpose of if the assumption can be dropped to make using SSSD in you case more easy. Nevertheless e.g. assuming that the plain AD users are stored in the cn=users,dc=domain OU and the sudo objects in cn=sudo,dc=domain you can just set the search bases accordingly for each domain If the sudo objects are stored in a sub-OU of cn=users,dc=domain you have to change the search scope for cn=users,dc=domain as well so that the other objects are not found, e.g. ldap_search_base = cn=users,dc=domain?one If the objects only differ in some attributes you can add a filter to the search base as well, e.g.: ldap_search_base = cn=users,dc=domain?subtree?(userPrincipalName=sudo*) I hope this gives you some idea how to configure the two domains. But feel free to share a sanitized layout of the two object kinds so that I can help to find a suitable configuration. bye, Sumit > looking around for other options (short of modifying the code) I'm > left with packaging pam_krb5 ourselves for RHEL 8 in order to > distribute it to our internal systems. I'm certainly open to other > ideas, but I can't see how to modify the username in a non static way. > > I've opened a couple of bug reports, one against sssd itseld, one against > RHEL 8: > https://pagure.io/SSSD/sssd/issue/4109 > https://bugzilla.redhat.com/show_bug.cgi?id=1767176 > > It'll be a matter of peoples opinion as to whether to fix these, I realize my > employer is in a minority by using sudo in this manner. > > Thanks, > -Erinn > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org