I am trying to figure out how to structure my ldap and/or configure sssd to read membership of nested groups.
Something like this works for normal group membership:
DN: cn=server-admins,ou=Groups,dc=example,dc=com
groupOfNames (structural)
posixGroup (auxiliary)
memberUid userName1
memberUid userName2
and the sssd.conf doing something like:
[sssd]
config_file_version = 2
domains = default
services = nss, pam
full_name_format = %1$s
[domain/default]
debug_level = 2
id_provider = ldap
auth_provider = ldap
cache_credentials = True
ldap_uri = ldaps://ldapserver:636
ldap_search_base = dc=example,dc=com
# start searching here
ldap_user_search_base = ou=People,dc=example,dc=com
# search these people
ldap_group_search_base = ou=Groups,dc=example,dc=com
ldap_group_nesting_level = 10
simple_allow_groups = server-admins
if I id userName1 I get the server-admins membership and can log in with that user.
However, what I'd like to do is something like this:
DN: cn=server-admins,ou=Groups,dc=example,dc=com
groupOfNames (structural)
posixGroup (auxiliary)
member cn=jobTitleGroup1,ou=Roles,dc=example,dc=com
Then have membership of the jobTitleGroup1 contain the people:
DN: cn=jobTitleGroup1,ou=Roles,dc=example,dc=com
groupOfNames (structural)
posixGroup (auxiliary)
memberUid userName1
memberUid userName2
The problem is sssd only seems to recognise the memberUid attribute, and doesn't seem to see/search the nested group membership of jobTitleGroup1.
So I don't know how to do nested groups, and/or don't know how to get sssd to read the membership of nested groups.
Any help would be appreciated.
