[ale] [EXTERNAL] Re: Any AD + SSSD expertise?

Thu Aug 31 14:30:42 EDT 2023

Allen, I always point these sorts of questions to Lawrence Kearney. Do you
know him? If not I can make an introduction.

On Thu, Aug 31, 2023 at 2:17 PM Allen Beddingfield via Ale <ale at ale.org>
wrote:

> We actually have both directories running together, and have for a few
> years.  Password changes are all forced through a portal that syncs the
> password in LDAP and AD, and account creates go througha process that
> duplicates things in both directories.  The plan is to cut over to AD, but
> everything that is authenticating against LDAP has to be pointed to AD,
> first.
> Allen B.
>
> --
> Allen Beddingfield
> Systems Engineer
> Office of Information Technology
> The University of Alabama
> Office 205-348-2251
> allen at ua.edu
>
> ________________________________________
> From: Ale <ale-bounces at ale.org> on behalf of Justin W Elam via Ale <
> ale at ale.org>
> Sent: Thursday, August 31, 2023 1:13 PM
> To: Atlanta Linux Enthusiasts
> Cc: Justin W Elam
> Subject: [EXTERNAL] Re: [ale] Any AD + SSSD expertise?
>
> Allen
>
> I think when there is a will there is a way around something.
>
> Since you are re running SUSE.
>
> Likely the best option would be to use a different product to merge the
> 389 with active directory using a product like
>
> https://www.manageengine.com/products/self-service-password/
>
> ADSelfServicePlus.
>
> That allows AD to manage the password change and then sync to 389 and
> other projects and products
> Google, MS365, Apple Mac, HPC, and Others
>
> AD => ADSelfService => 389, MS365, Zoho, VOIP, Google, etc.
>
> According to their website one of their customers is Kubota
>
> Cheers from Justin.
>
>
> --
> -------------------------------------
> Justin W Elam
>
>
>
>
> On Thu, 31 Aug 2023, 12:59 Allen Beddingfield via Ale, <ale at ale.org
> <mailto:ale at ale.org>> wrote:
> So, we currently have our Linux systems using an old 389 Directory for
> authentication, and have to switch to AD authentication to retire that
> system.  I don't have any say in that matter, so authenticating to AD is
> the mandated solution that I have to get working.  Most of these systems
> are SUSE Linux Enterprise 15, with a few 12.x systems.
> I got the old sssd.conf and nsswitch.conf working for LDAP 10+ years ago,
> and really just haven't looked at it since, as it has worked without any
> issue.  I'm not wanting to go through the process of adding everything to
> AD, doing kerberos, etc....  so this will be SSSD using AD as an LDAP
> source for authentication.  I've got that part working well.  However, I've
> got one annoyance.  With the LDAP setup, the users would just kind of look
> like local users, in that their primary group would be the local "users"
> group.  (This is SUSE, so all users get the same primary group of "users",
> instead of an individual group that corresponds to their username).
> However, when configured against AD, the users' primary group is "Domain
> Users".  I'm trying to find some way to either duplicate the old behavior,
> or at least have "Domain Users" be something like "adusers" without the
> capital letters and space.  I saw a suggestion for functionality to
> implement the Red Hat style individual user groups, but that isn't really
> what I'm trying to accomplish.
>
> Anyone ever done this, or have any idea how to accomplish something like
> this?
> I asked ChatGPT, and got suggested some parameters for the config file
> that I think it just made up haha
> Allen B.
>
> --
> Allen Beddingfield
> Systems Engineer
> Office of Information Technology
> The University of Alabama
> Office 205-348-2251
> allen at ua.edu<mailto:allen at ua.edu>
> _______________________________________________
> Ale mailing list
> Ale at ale.org<mailto:Ale at ale.org>
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20230831/48837685/attachment.htm>