5.4. Changing the LDAP Search Base for Users and Groups in a Trusted Active Directory Domain
As an administrator, you can set a different search base for users and groups in the trusted Active Directory domain. For example, this enables you to filter out users from inactive organizational units so that only active Active Directory users and groups are visible to the SSSD client system.
- To ensure that SSSD does not resolve all groups the users belongs to, consider disabling the support for the
tokenGroupsattribute on the Active Directory side.With
tokenGroupsenabled, SSSD resolves all groups the user belongs to because the attribute contains a flat list of SIDs. See Token-Groups attribute on Microsoft Developer Network for details about the attribute.
5.4.2. Configuring the LDAP Search Base to Restrict Searches
This procedure describes restricting searches in SSSD to a specific subtree by editing the
- If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
- If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.
- Make sure the trusted domain has a separate
sssd.conf. The headings of trusted domain sections follow this template:
- Edit the
sssd.conffile to restrict the search base to a specific organizational unit (OU). For example, the
ldap_search_baseoption changes the search base for all types of objects.
ldap_search_base = ou=finance,dc=ad,dc=example,dc=comYou can also use the
ldap_service_search_baseoptions. For more details on these options, see the sssd-ldap(5) man page.
- Restart SSSD.
systemctl restart sssd.service
- To verify, resolve a few Active Directory users on the SSSD client. For example, to test a change to the user search base and group search base:
# getent passwd firstname.lastname@example.org
# getent group email@example.comIf SSSD is configured correctly, you are able to resolve only objects from the configured search base.
If you are able to resolve users from other search domains, troubleshoot the problem by inspecting the SSSD logs:
- Expire the SSSD caches.
- In the general
sssd.conf, set the
- Repeat the command for resolving a user.
- In the SSSD logs at
/var/log/sssd/, look for messages from the
sdap_get_generic_*functions. The functions log the filter and search base used in user searches.
- For a list of options you can use in trusted domain sections of
TRUSTED DOMAIN SECTIONin the sssd.conf(5) man page.