Using ldap_user_search_base option to filter disabled AD accounts breaks AD group lookup in Red Hat Enterprise Linux 8

Solution Verified - Updated -

Issue

  • After adding ldap_user_search_base or ldap_search_base option in sssd.conf file to filter out disabled AD accounts,
    AD group lookup is broken in RHEL8. However, same configuration works just fine in RHEL7:
ldap_user_search_base = dc=example,dc=com?subtree?(&(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
  • getent group groupname stopped working after adding following option in sssd.conf file in RHEL8:
ldap_search_base = dc=example,dc=com?subtree?(&(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Environment

  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9
  • Microsoft Active Directory
  • SSSD

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content