SSSD experts - Is it possible to simplify ldap searches like the one below to specify the group name without it's full path: ``` ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=example,DC=internal)(memberOf=CN=project-admins,OU=2,OU=1,DC=example,DC=internal)) ```
Doing so would simplify configurations and prevent issues when objects are moved within the directory:
*p.s. for access_provider, the following has worked to simplify part of our config. Likely means less load on LDAP. I'm assuming it's safe.* ```` id_provider=ldap access_provider=simple simple_allow_groups=group1, group2 ```
On Tue, Jan 15, 2019 at 07:32:34AM -0700, Sean Roberts wrote:
SSSD experts - Is it possible to simplify ldap searches like the one below to specify the group name without it's full path:
ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=example,DC=internal)(memberOf=CN=project-admins,OU=2,OU=1,DC=example,DC=internal))
Doing so would simplify configurations and prevent issues when objects are moved within the directory:
I think it depends on the schema on the server and whether the DN can be matched with a substring search. It looks like at least 389ds allows that. In general, this is not something sssd enforces, sssd just blindly takes the search filter and uses it.
*p.s. for access_provider, the following has worked to simplify part of our config. Likely means less load on LDAP. I'm assuming it's safe.*
id_provider=ldap access_provider=simple simple_allow_groups=group1, group2
Yes, but the simple access provider works differently. The group membership is first calculated and stored in the cache and the simple access provider only consults the cache contents.
One difference is that with the user search base, accounts outside the search base wouldn't even be visible on the client with NSS lookups, with the simple access provider they would, 'just' the access on the PAM level would be enforced. This may or may not be what you want (e.g. you might want to convert IDs that the users who can't log in own..)
Thanks. For the LDAP provider, what did you mean by matched with a substring search? A wildcard?
On Thu, Jan 17, 2019 at 04:58:09PM -0700, Sean Roberts wrote:
Thanks. For the LDAP provider, what did you mean by matched with a substring search? A wildcard?
Yes, I tested with: ldapsearch -H ldap://server.ipa.test -b cn=accounts,dc=ipa,dc=test '(&(uid=admin)(memberof=cn=R*)) on my IPA test system
sssd-users@lists.fedorahosted.org