On Wed, May 14, 2025 at 5:53 AM Dom Chien via sssd-users
<[email protected]> wrote:
>
> Hi Everyone,
>
> I’m working on a system that authenticates users through both Active
> Directory (AD) and LDAP, and I’m looking for suggestions to improve the
> current setup.
>
> Current Setup:
> - AD is used solely for authentication.
> - LDAP manages local users (e.g., temporary users) and assigns additional
> groups to both AD and LDAP users. These groups control access to shared
> folders for teammates.
>
> The Challenge:
> - I need to append groups from LDAP to users authenticated through AD.
> - To achieve this, I’ve created "no-login" accounts in LDAP for each AD user,
> mapping their UID/GID to match.
> - However, I haven’t found a way to fully rely on SSSD for this task.
>
> Current Workaround:
> - I’m using nslcd alongside SSSD and forcing nsswitch.conf to prioritize LDAP
> group lookups before SSSD and local files. My current nsswitch.conf looks
> like this:
>
> passwd: sss files
> group: ldap sss files systemd
> netgroup: ldap sss files
> automount: ldap sss files
> services: ldap sss files
>
> SSSD Configuration:
> Here’s my current sssd.conf setup:
> [sssd]
> services = nss, pam
> config_file_version = 2
> domains = ad.domain, ldap.domain
> # Prevent user login with fully_qualified_name
> re_expression = (?P<name>^[^@]+$)
> debug_level = 9
>
> [domain/ad.domain]
> ad_server = adserver.example.com
> ad_domain = ad.example.com
> auth_provider = ad
> id_provider = ad
> access_provider = simple
> simple_allow_groups = allow_login_group
> realmd_tags = manages-system joined-with-adcli
> krb5_realm = AD.EXAMPLE.COM
> krb5_store_password_if_offline = True
>
> # To generate private groups for each user
> auto_private_groups = True
> ignore_group_members = True
> use_fully_qualified_names = False
> default_shell = /bin/bash
> fallback_homedir = /home/%u
> cache_credentials = True
>
> [domain/ldap.domain]
> id_provider = ldap
> auth_provider = ldap
> ldap_uri = ldaps://ldapserver
> ldap_search_base = dc=example,dc=com
> cache_credentials = True
> ldap_tls_cacert = /path/to/ca.pem
> ldap_tls_cert = /path/to/ldap.pem
> ldap_tls_key = /path/to/ldap.key
> ldap_tls_reqcert = demand
> default_shell = /bin/bash
> fallback_homedir = /home/%u
>
> What I’m Looking For:
> Is there a better way to append LDAP groups to AD-authenticated users
Not sure if you re willing to consider replacement of LDAP with
FreeIPA, but sounds like a FreeIPA feature: `ipa group-add-member ...
--external={}`
> so that I can eliminate nslcd entirely and rely solely on SSSD? Any advice or
> suggestions on how to achieve this would be greatly appreciated!
>
> Thank you in advance for your help!
> --
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
