Hi Everyone, I’m working on a system that authenticates users through both Active Directory (AD) and LDAP, and I’m looking for suggestions to improve the current setup.
Current Setup: - AD is used solely for authentication. - LDAP manages local users (e.g., temporary users) and assigns additional groups to both AD and LDAP users. These groups control access to shared folders for teammates. The Challenge: - I need to append groups from LDAP to users authenticated through AD. - To achieve this, I’ve created "no-login" accounts in LDAP for each AD user, mapping their UID/GID to match. - However, I haven’t found a way to fully rely on SSSD for this task. Current Workaround: - I’m using nslcd alongside SSSD and forcing nsswitch.conf to prioritize LDAP group lookups before SSSD and local files. My current nsswitch.conf looks like this: passwd: sss files group: ldap sss files systemd netgroup: ldap sss files automount: ldap sss files services: ldap sss files SSSD Configuration: Here’s my current sssd.conf setup: [sssd] services = nss, pam config_file_version = 2 domains = ad.domain, ldap.domain # Prevent user login with fully_qualified_name re_expression = (?P<name>^[^@]+$) debug_level = 9 [domain/ad.domain] ad_server = adserver.example.com ad_domain = ad.example.com auth_provider = ad id_provider = ad access_provider = simple simple_allow_groups = allow_login_group realmd_tags = manages-system joined-with-adcli krb5_realm = AD.EXAMPLE.COM krb5_store_password_if_offline = True # To generate private groups for each user auto_private_groups = True ignore_group_members = True use_fully_qualified_names = False default_shell = /bin/bash fallback_homedir = /home/%u cache_credentials = True [domain/ldap.domain] id_provider = ldap auth_provider = ldap ldap_uri = ldaps://ldapserver ldap_search_base = dc=example,dc=com cache_credentials = True ldap_tls_cacert = /path/to/ca.pem ldap_tls_cert = /path/to/ldap.pem ldap_tls_key = /path/to/ldap.key ldap_tls_reqcert = demand default_shell = /bin/bash fallback_homedir = /home/%u What I’m Looking For: Is there a better way to append LDAP groups to AD-authenticated users so that I can eliminate nslcd entirely and rely solely on SSSD? Any advice or suggestions on how to achieve this would be greatly appreciated! Thank you in advance for your help! -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
