I have multiple RHEL 7.4 servers with LDAP authentication via sssd. Conveniently, my university's LDAP environment has a UIDNumber attribute that is unique for every person. My sssd.conf is at the end of this question.
Here are my questions about this:
Central IT runs two LDAP environments: Active Directory and "traditional" LDAP, both with usernames and passwords kept in sync. I cannot create groups on the LDAP environment, but I can in AD. Is there a way to say, "Authenticate users via LDAP, but a username's sAMAccountName has to match memberOf on this other LDAP server"? As it stands now, my ldap_user_search_base can turn into one heck of a filter when I have a lot of users.
Also, I'd be interested to know if it's possible to automatically make groups for users. That is, when user jsmith with UID 12345 logs in, there's also a group jsmith with GID 12345 ready to go.
Thanks!
[domain/default] autofs_provider = ldap cache_credentials = True ldap_search_base = dc=example,dc=edu id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldaps://ldap.example.edu:636 ldap_tls_reqcert = never ldap_default_bind_dn = cn=proxy,ou=proxy-users,dc=example,dc=edu ldap_default_authtok = lamepassword ldap_user_object_class = exampleEduPerson ldap_user_name = uid ldap_user_uid_number = exampleEduUIDNumber ldap_user_gid_number = exampleEduGIDNumber ldap_user_gecos = exampleEduGECOS ldap_user_uuid = exampleEduUID ldap_id_mapping = False override_shell = /bin/bash override_homedir = /home/%u debug_level = 5 ldap_user_search_base = uid=jsmith,ou=People,dc=example,dc=edu?? [sssd] services = nss, pam, autofs config_file_version = 2 domains = default [nss] homedir_substring = /home [pam] [sudo] [autofs] [ssh] [pac] [ifp] 
