2

How can I make sssd search for group memberships in all configured domains?

Given the configuration below, both alice(@bar) and bob(@foo) should be members of testgroup(@bar). However, only alice is considered a member of testgroup by sssd.

Looking at a tcpdump capture it appears that alice only search for (&(&(member=uid=alice,ou=users,dc=bar,dc=example,dc=com)(objectClass=posixGroup))(cn=*)) within scope ou=groups,dc=bar,dc=example,dc=com and bob only searches for (&(&(member=uid=bob,ou=users,dc=foo,dc=example,dc=com)(objectClass=posixGroup))(cn=*)) within scope ou=groups,dc=foo,dc=example,dc=com.

How can I alter the behavior of sssd (or my OpenLDAP backend) to allow for cross domain membership?

dn: cn=testgroup,ou=groups,dc=bar,dc=example,dc=com
objectClass: groupOfNames
objectClass: posixGroup
cn: testgroup
gidNumber: 54321
member: uid=alice,ou=users,dc=bar,dc=example,dc=com
member: uid=bob,ou=users,dc=foo,dc=example,dc=com


[sssd]
config_file_version = 2
services = nss, pam, autofs
domains = FOO.EXAMPLE.COM, BAR.EXAMPLE.COM

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[autofs]

[domain/FOO.EXAMPLE.COM]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_uri = _srv_
ldap_search_base = dc=foo,dc=example,dc=com
ldap_user_search_base = ou=users,dc=foo,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=foo,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI
krb5_realm = FOO.EXAMPLE.COM

ldap_autofs_entry_key = automountKey
ldap_autofs_map_name = automountMapName
ldap_autofs_search_base = ou=automount,dc=foo,dc=example,dc=com

[domain/BAR.EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = _srv_
ldap_search_base = dc=bar,dc=example,dc=com
ldap_user_search_base = ou=users,dc=bar,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=bar,dc=example,dc=com?onelevel?
ldap_schema = rfc2307bis
ldap_sasl_mech = GSSAPI

ldap_autofs_entry_key = automountKey
ldap_autofs_map_name = automountMapName
ldap_autofs_search_base = ou=automount,dc=bar,dc=example,dc=com
84104
  • 12,905
  • 6
  • 45
  • 76

2 Answers2

1

Use multiple ldap_*_search_bases within a domain.

ldap_user_search_base = ou=users,dc=bar,dc=example,dc=com?onelevel??ou=users,dc=foo,dc=example,dc=com?onelevel?
ldap_group_search_base = ou=groups,dc=bar,dc=example,dc=com?onelevel??ou=groups,dc=foo,dc=example,dc=com?onelevel?
84104
  • 12,905
  • 6
  • 45
  • 76
0

SSSD does not support cross-domain memberships between two different [domain] stanzas. However, if your server is AD, then you can just use id_provider=ad, then universally-scoped groups should be resolvably with sssd.

jhrozek
  • 1,370
  • 6
  • 5