we are overriding our user's GID because our university has set everyone's primary group to "domain users".
Is there a way to override based on a match, so that we could specify our human users get one GID and our service daemons get another GID?
I tried adding a second domain, with a different ldap_access_filter and different override_gid, but i never had success. Virtually all other attributes were the same and since my daemon user was not in my first ldap_access_filter authentication was rejected.
My current default domain is below:
[domain/default] debug_level = 8 id_provider = ad auth_provider = ad access_provider = ldap chpass_provider = ad ad_domain = dhe.duke.edu ldap_search_base = DC=dhe,DC=duke,DC=edu ldap_idmap_default_domain = dhe.duke.edu ldap_sasl_mech = GSSAPI ldap_account_expire_policy = ad ldap_access_order = filter, expire ldap_schema = ad ldap_referrals = False ldap_id_mapping = True ldap_force_upper_case_realm = True ldap_access_filter = (|(memberOf=CN=BIAC-Users,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)(memberOf=CN=BIAC-Data-Daemons,OU=Groups,OU=BIAC,OU=SOM,OU=EnterpriseResources,DC=dhe,DC=duke,DC=edu)) ldap_idmap_default_domain_sid = S-1-5-edited ldap_tls_reqcert = never case_sensitive = False krb5_lifetime = 10h krb5_renewable_lifetime = 7d ldap_account_expire_policy = ad krb5_realm = DHE.DUKE.EDU #these will go away with IDMU uid ldap_idmap_range_size = 20000000 ldap_idmap_range_min = 0 ldap_idmap_range_max = 2000000000 min_id = 500 override_gid = 197250