I've discovered through more experimentation and some source code examples that this syntax works:
sssd.conf: ldap_user_search_base, ou=ldapusers1,dc=mydomain,dc=net, ou=ldapusers2,dc=mydomain,dc=net, dc=ldapusers3,dc=mydomain,dc=net Same syntax seems to work for ldap_group_search_base..... But the question is if this is valid syntax, where is the documentation to show how to use it ? And why the unconventional syntax ? Al From: users-boun...@lists.fedoraproject.org [mailto:users-boun...@lists.fedoraproject.org] On Behalf Of Licause, Al Sent: Wednesday, June 22, 2011 10:32 AM To: users@lists.fedoraproject.org Subject: RE: sssd and ldap_user_search_base I have a customer that is attempting to authenticate users from an ldap server with various unix and linux clients. They are having difficulty getting their method to work with their Red Hat V6.0 ldap clients running sssd-1.2.1-28.el6_0.4.x86_64 and sssd-client-1.2.1-28.el6_0.4.x86_64. They have split their users into three different branches of the ldap database and done something similar with their user groups. In an attempt to control who can login to various systems, they configure their clients to use two of three branches. So for example client1 is configured to use ldapusers1 and ldapusers2 while client2 can use ldapusers2 and ldapusers3. If the client is allowed to search the entire database the will find account duplications and will allow the wrong users to authenticate. This is an example of what we have tried in the sssd.conf file: ldap_search_base = dc=osn,dc=mydomain,dc=net # ldap_user_search_base ou=ldapusers1,dc=mydomain,dc=net,ou=ldapusers2,dc=mydomain,dc=net,ou=ldapusers3,dc=mydomain,dc=net #ldap_user_search_base = ou=ldapusers1,dc=mydomain,dc=net #ldap_user_search_base = ou=ldapusers2,dc=mydomain,dc=net #ldap_user_search_base = ou=ldapusers3,dc=mydomain,dc=net #ldap_group_search_base = ou=Groups,dc=mydomain,dc=net #ldap_group_search_base = ou=LdapGroup,dc=mydomain,dc=net #ldap_group_search_base = ou=TestGroup,dc=mydomain,dc=net If we use the first example in which all three branches are assigned on one line, we usually get nothing....."can't find the user". If we use any of the currently commmented examples where the symbol ldap_user_search_base is given more than once, we only see the last one defined. So the question is, is this sort of configuration possible or is something broken ? Al Licause HP Customer Support Center
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
