On Tue, Jun 24, 2014 at 03:28:05PM +0200, Sven Geggus wrote:
Hello,
with nslcd I do the following to simulate user private groups without actually creating them in the directory server:
... filter group (&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example)) ...
I tried porting this to sssd using the following:
ldap_group_search_base = DC=example,DC=com?subtree?(&(|(objectClass=Group)(&(!(userAccountControl:1.2.840.113556.1.4.803:=2))(objectClass=User)))(msSFU30NisDomain=example))
Looks like the correct syntax to me.
However, note that SSSD works differently than nss-pam-ldapd -- we save the entry attributes to the cache first and while saving the entry, we perform a number of checks.
My guess is that the SSSD expects the group entries to have objectclass=group. Domain logs would show more..