Pull only specific groups from AD

[hpckurt]

Is it possible to pull only specific groups from AD in SSSD?

Some of our users are in 150+ AD groups and it takes an extremely long time to sync them in our system. We'd like to sync any groups prepended with hpc-. So, if a user was part of server-users, hpc-users and hpc-p0001, both hpc- groups would sync, but server-users would not.

[sumit-bose]

Hi,

you can add additional search filters to the search bases, e.g.

ldap_group_search_base = dc=example,dc=com?subtree?(sAMAccountName=hpc-*)

should only return groups where the name starts with hpc-. However, by default when looking up group-memberships of an AD user SSSD uses the tokenGroups attribute where the LDAP search will return the SIDs of all groups the user is a member of. With the filter above SSSD can only resolve the names of only some of those groups and might return a SID based name or none at all. Which might be irritating. So it would make sense to disable the tokenGroups lookup with ldap_use_tokengroups = False which might lead to longer processing because SSSD now has to follow the group nesting to find all the group memberships of the user.

Have you tried to set ignore_group_members = True because typically looking up the members of the groups is the time consuming step.

bye,
Sumit

[hpckurt]

Hi @sumit-bose, when I set the group search base, it only shows a user's primary group (Domain Users):

root@login-01:/var/log/sssd# id kstine
uid=851707146(kstine) gid=1543400513 groups=1543400513

Here is the SSSD conf we are using:

[sssd]
domains = win.place.edu
config_file_version = 2
services = nss, pam

[nss]
#debug_level = 6

[pam]
pam_id_timeout = 360

[domain/win.place.edu]
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
entry_cache_timeout = 6800
entry_cache_group_timeout = 6800
account_cache_expiration = 7

krb5_auth_timeout = 360
ldap_deref_threshold = 0

dyndns_update = False
ad_hostname = bcm-01
ad_enabled_domains = vserv.win.place.edu,mserv.win.place.edu
krb5_realm = WIN.PLACE.EDU
realmd_tags = manages-system joined-with-adcli 
id_provider = ad
fallback_homedir = /home/%u
ad_domain = win.place.edu
use_fully_qualified_names = False
ldap_id_mapping = True
ldap_user_uid_number = uidNumber
#ldap_user_gid_number = gidNumber
#access_provider = ad
enumerate = False
ad_enable_gc = True
#debug_level = 6

ignore_group_members = True
ldap_use_tokengroups = False
#ldap_group_search_base = ou=workgroups,ou=registry,dc=win,dc=place,dc=edu
ldap_user_search_base = ou=accounts,dc=win,dc=place,dc=edu
ldap_user_member_of = MemberOf
ldap_user_name = SamAccountName
#ldap_access_filter = memberOf=CN=hpc-users,OU=Workgroups,OU=Registry,DC=win,DC=place,DC=edu
ldap_group_search_base = ou=workgroups,ou=registry,dc=win,dc=place,dc=edu?subtree?(sAMAccountName=hpc-*)

simple_allow_groups = [email protected]
access_provider = simple
#ldap_group_nesting_level = 4

- Kurt