[Changing ldap_group_nesting_level in sssd.conf in the subsection for ad-trusts does not work]
By default, in FreeIPA, the nesting depth of groups is 2. In the log I see sssd_ipa_domain.log that the parameter was applied in both sections. And ldap_group_nesting_level = 3. I see that the query finds all three groups, but only group1 and group2 get into the output of the command "id". Therefore, I cannot apply the hbac and sudo rules to group3. And this is very important, according to our security policies.
I expect group3 to appear in the output of the id command and that I will be able to apply sudo and hbac rules to the group3.
Package versions: ipa-server-4.6.8-5.0.1.el7_9.10.x86_64 ipa-client-4.6.8-5.0.1.el7_9.10.x86_64 389-ds-base-1.3.10.2-14.el7_9.x86_64 pki-ca-10.5.18-18.el7_9.noarch krb5-server-1.15.1-51.0.1.el7_9.x86_64 OS version: NAME="Oracle Linux Server" VERSION="7.9" ID="ol" ID_LIKE="fedora" VARIANT="Server" VARIANT_ID="server" VERSION_ID="7.9" PRETTY_NAME="Oracle Linux Server 7.9"
There is a configured freeipa server with a connection to AD using one-way trusts. There is a domain user who is added to the IPA via id view. The user is added to a group in AD group1, which has two more nested groups group2 and group3. Group3 is added as mapping to an external group in freeipa and added to a local freeipa group.
This is probably more appropriate as an sssd ticket but let's see what @sbose thinks.
What provider are you using, ipa, ad or ldap?
[domain/ipadomain.local]
ldap_group_member = member cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipadomain.local id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa1.ipadomain.local chpass_provider = ipa ipa_server = ipa1.ipadomain.local ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt ldap_group_nesting_level = 3 debug_level = 9 ldap_use_tokengroups = True ldap_schema = rfc2307bis
[domain/ipadomain.local/addomain.local] ldap_group_nesting_level = 3
[sssd] services = sudo, nss, ifp, pam, ssh domains = ipadomain.local
[nss] memcache_timeout = 600 homedir_substring = /home
[pam] [sudo]
[autofs]
The sssd-ipa man page does not include ldap_group_nesting_level as an available option.
I agree, but this item is in /usr/share/sssd/sssd.api.d/sssd-ipa.conf in the [provider/ipa/id] subsection And in /usr/share/sssd/sssd.api.d/sssd-ad.conf in the [provider/ad/id] subsection Perhaps there is another regular way to change the depth of nesting of groups when searching in the catalog?
@sbose any comment from SSSD side? I don't think this has anything to do with IPA code. If there is any bug on SSSD side, the ticket should be opened there.
Hello team. I tried to create 4 local groups in the ipa. I put them one into the other. Then I added a local account to one of these groups. Next, I returned the parameter ldap_group_nesting_level = 2 (default value) in sssd.conf in the [domain/ipadomain.local] section. When I run command "id" for this local accaunt, I got all 4 nested groups in the output. And when I send a request to the AD, I get only 2 nested groups, whatever value I set in the ldap_group_nesting_level parameter in the [domain/ipadomain.local/addomain.local] subsection. As I understand it, the value ldap_group_nesting_level = 2 implies a search in all nested groups. Then the question is how to remove the restriction on the level of nesting when searching in AD + one-way trusts?
Login to comment on this ticket.