5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain
As an administrator, you can set a different search base for users and groups in the trusted Active Directory domain. For example, this enables you to filter out users from inactive organizational units so that only active Active Directory users and groups are visible to the SSSD client system.
5.4.1. Prerequisites
- To ensure that SSSD does not resolve all groups the users belongs to, consider disabling the support for the
tokenGroups
attribute on the Active Directory side.WithtokenGroups
enabled, SSSD resolves all groups the user belongs to because the attribute contains a flat list of SIDs. See Token-Groups attribute on Microsoft Developer Network for details about the attribute.
5.4.2. Configuring the LDAP Search Base to Restrict Searches
This procedure describes restricting searches in SSSD to a specific subtree by editing the
/etc/sssd/sssd.conf
file.
Considerations
- If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
- If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.
Procedure
- Make sure the trusted domain has a separate
[domain]
section insssd.conf
. The headings of trusted domain sections follow this template:[domain/main_domain/trusted_domain]
For example:[domain/idm.example.com/ad.example.com]
- Edit the
sssd.conf
file to restrict the search base to a specific organizational unit (OU). For example, theldap_search_base
option changes the search base for all types of objects.[domain/idm.example.com/ad.example.com]
ldap_search_base = ou=finance,dc=ad,dc=example,dc=com
You can also use theldap_user_search_base
,ldap_group_search_base
,ldap_netgroup_search_base
, andldap_service_search_base
options. For more details on these options, see the sssd-ldap(5) man page. - Restart SSSD.
#
systemctl restart sssd.service
- To verify, resolve a few Active Directory users on the SSSD client. For example, to test a change to the user search base and group search base:
# getent passwd ad_user@ad.example.com
# getent group ad_group@ad.example.com
If SSSD is configured correctly, you are able to resolve only objects from the configured search base.
If you are able to resolve users from other search domains, troubleshoot the problem by inspecting the SSSD logs:
- Expire the SSSD caches.
#
sss_cache --everything
- In the general
[domain]
section ofsssd.conf
, set thedebug_level
option to9
. - Repeat the command for resolving a user.
- In the SSSD logs at
/var/log/sssd/
, look for messages from thesdap_get_generic_*
functions. The functions log the filter and search base used in user searches.
Additional Resources
- For a list of options you can use in trusted domain sections of
sssd.conf
, seeTRUSTED DOMAIN SECTION
in the sssd.conf(5) man page.