On Sun, Oct 23, 2016 at 08:34:45PM -0000, squallu@gmail.com wrote:
hi, i'm trying to configure sssd with ad provider to work with ldap_id_mapping = False, everything is working fine except additional group aside from the primary (msSFU30PosixMemberOf), is it even possible without switching to id_provider=ldap?
Adding ldap_user_member_of = msSFU30PosixMemberOf to /etc/sssd/sssd.conf changes nothing, switching to id_provider = ldap works and gives me back all the unix groups configured on AD.
The memberof attribute is not really used much, instead, the AD provider reads the group membership from the tokenGroups attribute and if those are disabled (which you probably want to do with msSFU attributes which are IIRC not synced with Windows group memberships..), then we fall back to using just "member".
tl;dr, try with disabled tokengroups and map all the msSFU attributes that you use, not just memberof..