Thank you all for the quick replies! Going to try to answer everyone here:
@Spike > Do you mean that you're using AD (or an LDAP server) with the RFC2307bis schema extension that adds the extra UNIX-y attributes for users and groups? (home dir, uid, gid, gecos, login shell) Yes, but right now I only care for users being mapped properly. Since we do have a few groups with POSIX gidNumber attribute, they also get mapped. > And that your POSIX groups have these fields populated, while your non-POSIX > groups don't have these fields populated? Right, non-posix groups are regular AD groups without the gidNumber. @Alexey > Is this important for you to preserve existing POSIX attributes? For users, yes, but for the groups, not really. I simply am looking to allow access to a host if they are a memberof an AD group. In my case, an AD group that does not have gidNumber attribute. (non-posix) @Christopher > I don't get why you don't just add the posixGroup objectClass and a gidNumber > to the "non-POSIX-compliant" groups to make it POSIX compliant, and also be > able to count them with "objectClass=posixGroup" filters. Yes, I would agree. Unfortunately, it is not an easy process for my org to do this for groups. (red-tape *eyeroll*) This is why I was wondering if it is possible to do something like simple_allow_groups = non-posix_ad_group functionality. Thank you! -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
