[ale] [EXTERNAL] Re: Any AD + SSSD expertise?

Allen Beddingfield allen at ua.edu
Thu Aug 31 14:32:23 EDT 2023


I have met him a couple of times at SUSECon, but it has been a while since we've talked.  Is he on the list?  You are right, he is pretty much the expert for such things, if I remember.
Thanks.
Allen B.

--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu

________________________________________
From: Niel Bornstein <nbornstein at gmail.com>
Sent: Thursday, August 31, 2023 1:30 PM
To: Atlanta Linux Enthusiasts
Cc: Allen Beddingfield
Subject: Re: [ale] [EXTERNAL] Re: Any AD + SSSD expertise?

You don't often get email from nbornstein at gmail.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Allen, I always point these sorts of questions to Lawrence Kearney. Do you know him? If not I can make an introduction.

On Thu, Aug 31, 2023 at 2:17 PM Allen Beddingfield via Ale <ale at ale.org<mailto:ale at ale.org>> wrote:
We actually have both directories running together, and have for a few years.  Password changes are all forced through a portal that syncs the password in LDAP and AD, and account creates go througha process that duplicates things in both directories.  The plan is to cut over to AD, but everything that is authenticating against LDAP has to be pointed to AD, first.
Allen B.

--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu<mailto:allen at ua.edu>

________________________________________
From: Ale <ale-bounces at ale.org<mailto:ale-bounces at ale.org>> on behalf of Justin W Elam via Ale <ale at ale.org<mailto:ale at ale.org>>
Sent: Thursday, August 31, 2023 1:13 PM
To: Atlanta Linux Enthusiasts
Cc: Justin W Elam
Subject: [EXTERNAL] Re: [ale] Any AD + SSSD expertise?

Allen

I think when there is a will there is a way around something.

Since you are re running SUSE.

Likely the best option would be to use a different product to merge the 389 with active directory using a product like

https://www.manageengine.com/products/self-service-password/

ADSelfServicePlus.

That allows AD to manage the password change and then sync to 389 and other projects and products
Google, MS365, Apple Mac, HPC, and Others

AD => ADSelfService => 389, MS365, Zoho, VOIP, Google, etc.

According to their website one of their customers is Kubota

Cheers from Justin.


--
-------------------------------------
Justin W Elam




On Thu, 31 Aug 2023, 12:59 Allen Beddingfield via Ale, <ale at ale.org<mailto:ale at ale.org><mailto:ale at ale.org<mailto:ale at ale.org>>> wrote:
So, we currently have our Linux systems using an old 389 Directory for authentication, and have to switch to AD authentication to retire that system.  I don't have any say in that matter, so authenticating to AD is the mandated solution that I have to get working.  Most of these systems are SUSE Linux Enterprise 15, with a few 12.x systems.
I got the old sssd.conf and nsswitch.conf working for LDAP 10+ years ago, and really just haven't looked at it since, as it has worked without any issue.  I'm not wanting to go through the process of adding everything to AD, doing kerberos, etc....  so this will be SSSD using AD as an LDAP source for authentication.  I've got that part working well.  However, I've got one annoyance.  With the LDAP setup, the users would just kind of look like local users, in that their primary group would be the local "users" group.  (This is SUSE, so all users get the same primary group of "users", instead of an individual group that corresponds to their username).
However, when configured against AD, the users' primary group is "Domain Users".  I'm trying to find some way to either duplicate the old behavior, or at least have "Domain Users" be something like "adusers" without the capital letters and space.  I saw a suggestion for functionality to implement the Red Hat style individual user groups, but that isn't really what I'm trying to accomplish.

Anyone ever done this, or have any idea how to accomplish something like this?
I asked ChatGPT, and got suggested some parameters for the config file that I think it just made up haha
Allen B.

--
Allen Beddingfield
Systems Engineer
Office of Information Technology
The University of Alabama
Office 205-348-2251
allen at ua.edu<mailto:allen at ua.edu><mailto:allen at ua.edu<mailto:allen at ua.edu>>
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org><mailto:Ale at ale.org<mailto:Ale at ale.org>>
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
_______________________________________________
Ale mailing list
Ale at ale.org<mailto:Ale at ale.org>
https://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo


More information about the Ale mailing list