Realmd / sssd - pulling groups from AD

Posted on

We are currently testing a POC to migrate to realmd across our RHEL 7 and RHEL8 estate. This is working fine but one thing is a little messy. We have many groups in AD, and each RHEL instance is in one or more of these groups.

In order to restrict login to the host to the members of the group that it is in we use an ldap search which populates the simple_allow_groups based on "memberOf:" in the sssd.conf. This works Ok but is there a better way to do this?

I was hoping there was a way to specify in sssd.conf to allow login for any members of a group that the computer object is in. I.e so we don't need to put these groups names specifically into sssd.conf with a script or whatever, it queries AD for them. Is this possible?