Este conteúdo não está disponível no idioma selecionado.

5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain


As an administrator, you can set a different search base for users and groups in the trusted Active Directory domain. For example, this enables you to filter out users from inactive organizational units so that only active Active Directory users and groups are visible to the SSSD client system.

5.4.1. Prerequisites

  • To ensure that SSSD does not resolve all groups the users belongs to, consider disabling the support for the tokenGroups attribute on the Active Directory side.
    With tokenGroups enabled, SSSD resolves all groups the user belongs to because the attribute contains a flat list of SIDs. See Token-Groups attribute on Microsoft Developer Network for details about the attribute.

5.4.2. Configuring the LDAP Search Base to Restrict Searches

This procedure describes restricting searches in SSSD to a specific subtree by editing the /etc/sssd/sssd.conf file.

Considerations

  • If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
  • If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.

Procedure

  1. Make sure the trusted domain has a separate [domain] section in sssd.conf. The headings of trusted domain sections follow this template:
    [domain/main_domain/trusted_domain]
    For example:
    [domain/idm.example.com/ad.example.com]
  2. Edit the sssd.conf file to restrict the search base to a specific organizational unit (OU). For example, the ldap_search_base option changes the search base for all types of objects.
    [domain/idm.example.com/ad.example.com]
    ldap_search_base = ou=finance,dc=ad,dc=example,dc=com
    You can also use the ldap_user_search_base, ldap_group_search_base, ldap_netgroup_search_base, and ldap_service_search_base options. For more details on these options, see the sssd-ldap(5) man page.
  3. Restart SSSD.
    # systemctl restart sssd.service
  4. To verify, resolve a few Active Directory users on the SSSD client. For example, to test a change to the user search base and group search base:
    # getent passwd ad_user@ad.example.com
    # getent group ad_group@ad.example.com
    If SSSD is configured correctly, you are able to resolve only objects from the configured search base.
If you are able to resolve users from other search domains, troubleshoot the problem by inspecting the SSSD logs:
  1. Expire the SSSD caches.
    # sss_cache --everything
  2. In the general [domain] section of sssd.conf, set the debug_level option to 9.
  3. Repeat the command for resolving a user.
  4. In the SSSD logs at /var/log/sssd/, look for messages from the sdap_get_generic_* functions. The functions log the filter and search base used in user searches.

Additional Resources

  • For a list of options you can use in trusted domain sections of sssd.conf, see TRUSTED DOMAIN SECTION in the sssd.conf(5) man page.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja oBlog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

© 2024 Red Hat, Inc.