As an administrator, you can set a different search base for users and groups in the trusted Active Directory domain. For example, this enables you to filter out users from inactive organizational units so that only active Active Directory users and groups are visible to the SSSD client system.
5.4.2. Configuring the LDAP Search Base to Restrict Searches
This procedure describes restricting searches in SSSD to a specific subtree by editing the
If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.
Make sure the trusted domain has a separate
[domain] section in
sssd.conf. The headings of trusted domain sections follow this template:
sssd.conf file to restrict the search base to a specific organizational unit (OU). For example, the
ldap_search_base option changes the search base for all types of objects.
ldap_search_base = ou=finance,dc=ad,dc=example,dc=com
You can also use the
ldap_service_search_base options. For more details on these options, see the sssd-ldap(5) man page.
systemctl restart sssd.service
To verify, resolve a few Active Directory users on the SSSD client. For example, to test a change to the user search base and group search base:
# getent passwd email@example.com
# getent group firstname.lastname@example.org
If SSSD is configured correctly, you are able to resolve only objects from the configured search base.
If you are able to resolve users from other search domains, troubleshoot the problem by inspecting the SSSD logs:
Expire the SSSD caches.
In the general
[domain] section of
sssd.conf, set the
debug_level option to
Repeat the command for resolving a user.
In the SSSD logs at
/var/log/sssd/, look for messages from the
sdap_get_generic_* functions. The functions log the filter and search base used in user searches.