-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 10/28/2013 05:47 PM, Chris Petty wrote:
we are overriding our user's GID because our university has set everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get one GID and our service daemons get another GID?
No, this is not currently available. You're welcome to file an enhancement request at https://fedorahosted.org/sssd (or if you are a customer of a commercial distribution, you should contact your support representative).
I tried adding a second domain, with a different ldap_access_filter and different override_gid, but i never had success. Virtually all other attributes were the same and since my daemon user was not in my first ldap_access_filter authentication was rejected.
You should be able to do this by splitting your two domains with a different ldap_search_filter (not access_filter; that happens *after* we find the user in the domain and confirm that it's there).
So you might want to do:
[domain/humans] ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=1)
[domain/daemons] ldap_user_search_base = DC=dhe,DC=duke,DC=edu?subtree?(isHuman=0)
Obviously, replace (isHuman=0) with an LDAP search filter that appropriately splits the domain.
The rest of the configurations should be left alone.
NOTE: This is untested advice. This will probably break initgroups() requests for the daemon users, since the first domain will still match all the groups and the daemon users will be filtered out.