Filtering users with ldap_user_search_base in SSSD integrations

Solution Verified - Updated -

Issue

  • Administrators may want to limit which user entries are visible to SSSD by using ldap_user_search_base.
  • This option can be used to reduce lookup scope, restrict lookups to a specific container or subtree, or exclude unwanted user objects from discovery.
  • In some environments, multiple user objects from different containers may resolve to the same effective login name from SSSD’s perspective.
  • When this occurs, group lookup may fail because SSSD attempts to cache the same user more than once as a group member.
  • Group resolution may fail with errors similar to:
[attribute 'ghost': value 'someuser@example.com' on 'name=somegroup@example.com,cn=groups,cn=example.com,cn=sysdb' provided more than once in REPLACE]
  • Additional symptoms may include:
    • getent group returns no result or incomplete results
    • a group cannot be resolved even though it exists in the directory
    • SSSD logs show the same effective user name being processed from more than one LDAP distinguished name

Environment

  • Red Hat Enterprise Linux 8, 9 & 10
  • SSSD
  • Any LDAP-backed identity provider where ldap_user_search_base is used to scope user discovery, including:
    • Microsoft Active Directory
    • Red Hat Identity Management (IPA / IdM)
    • Generic LDAP directory integrations

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content