How do I enable group enumeration on a Linux server that is using LDAP to connect to an AD server?

linux active-directory ldap groups

5,937

Add to /etc/nsswitch.conf:

(if needed:

passwd: files sss
group:  files sss

)

Have sssd installed and configure it to search the appropriate space (/etc/sssd/sssd.conf):

[sssd]
domains = LDAP

[domains/LDAP]
ldap_schema = rfc2307bis
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://localhost
ldap_search_base = ou=users,o=company
ldap_user_search_base = ou=users,o=company
ldap_group_search_base = ou=groups,o=company
ldap_tls_reqcert = allow
cache_credentials = true
enumerate = true
min_id = 1

5,937

RebornGeek

MacLinuxSysAdminWordPressTwitterHumo[u]rGeekStephensonMUDsButNotWoW phew!

Updated on September 18, 2022

Comments

RebornGeek over 1 year
I've got a set of servers that I need to authenticate against a central Active Directory forest. The AD admins have kindly installed the UNIX AD extensions and the NIS ones as well, so I've got a lot of LDAP attributes to work from.

Authenticated binds are working, as are user logins. The one piece I'm missing is the magic sauce to make group enumerations work correctly.

Does anyone have any particular /etc/ldap.conf or perhaps PAM magic that I could employ to make groups work correctly?

To wit:
```
[root@hostname ~]# groups username
id: cannot find name for group ID 1768498755
[root@hostname ~]#
```
(The ID is the default group specified via gidNumber.)

Thanks!
RebornGeek about 13 years

Getting really close here. I can't seem to start sssd: "Starting sssd: Cannot load configuration database"
RebornGeek about 13 years

Okay, I had it slightly misconfigured. Now I'm seeing the following in sssd_nss.log: "(Tue May 3 10:06:53 2011) [sssd[pam]] [confdb_get_domain_internal] (1): No enumeration for [AD]!" Ideas?
chandank over 11 years

it did not help either