5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain

As an administrator, you can set a different search base for users and groups in the trusted Active Directory domain. For example, this enables you to filter out users from inactive organizational units so that only active Active Directory users and groups are visible to the SSSD client system.

5.4.1. Prerequisites

  • To ensure that SSSD does not resolve all groups the users belongs to, consider disabling the support for the tokenGroups attribute on the Active Directory side.
    With tokenGroups enabled, SSSD resolves all groups the user belongs to because the attribute contains a flat list of SIDs. See Token-Groups attribute on Microsoft Developer Network for details about the attribute.

5.4.2. Configuring the LDAP Search Base to Restrict Searches

This procedure describes restricting searches in SSSD to a specific subtree by editing the /etc/sssd/sssd.conf file.

Considerations

  • If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
  • If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.

Procedure

  1. Make sure the trusted domain has a separate [domain] section in sssd.conf. The headings of trusted domain sections follow this template:
    [domain/main_domain/trusted_domain]
    For example:
    [domain/idm.example.com/ad.example.com]
  2. Edit the sssd.conf file to restrict the search base to a specific organizational unit (OU). For example, the ldap_search_base option changes the search base for all types of objects.
    [domain/idm.example.com/ad.example.com]
    ldap_search_base = ou=finance,dc=ad,dc=example,dc=com
    You can also use the ldap_user_search_base, ldap_group_search_base, ldap_netgroup_search_base, and ldap_service_search_base options. For more details on these options, see the sssd-ldap(5) man page.
  3. Restart SSSD.
    # systemctl restart sssd.service
  4. To verify, resolve a few Active Directory users on the SSSD client. For example, to test a change to the user search base and group search base:
    # getent passwd ad_user@ad.example.com
    # getent group ad_group@ad.example.com
    If SSSD is configured correctly, you are able to resolve only objects from the configured search base.
If you are able to resolve users from other search domains, troubleshoot the problem by inspecting the SSSD logs:
  1. Expire the SSSD caches.
    # sss_cache --everything
  2. In the general [domain] section of sssd.conf, set the debug_level option to 10.
  3. Repeat the command for resolving a user.
  4. In the SSSD logs at /var/log/sssd/, look for messages from the sdap_get_generic_* functions. The functions log the filter and search base used in user searches.

Additional Resources

  • For a list of options you can use in trusted domain sections of sssd.conf, see Trusted domain section in the sssd.conf(5) man page.