Our LDAP server is running RFC 2307 groups (memberuid contains a username, not a DN). With our old nscd/nss_ldap/pam_ldap setup, you could list a non-LDAP user (a system user from /etc/passwd) in an LDAP group's memberuid attribute, and that system user will be a member of the group.
However, on machines I've upgraded to SSSD, this no longer works: SSSD just strips out the non-LDAP user from the member list.
I've confirmed this behavior by logging in as the user and using id and also by running getent group group.
Here is my sssd.conf (with some details redacted and clearly marked as such)
[sssd]
config_file_version = 2
services = nss, pam
domains = REDACTED.net
[nss]
# defaults are OK
[pam]
# defaults are OK
[domain/REDACTED.net]
enumerate = true
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_uri = _srv_
ldap_chpass_uri = ldap://haruhi.REDACTED.net
ldap_search_base = dc=REDACTED,dc=net?subtree?
ldap_schema = rfc2307
ldap_tls_cacert = /usr/local/share/ca-certificates/REDACTED-CA.crt
ldap_id_use_start_tls = true
ldap_pwd_policy = shadow
ldap_access_filter = memberOf=cn=UNIX Users,ou=Policies,dc=REDACTED,dc=net
ldap_access_order = filter, authorized_service, host
ldap_default_bind_dn = uid=haruhi,ou=Machines,dc=REDACTED,dc=net
ldap_default_authtok = VERY_REDACTED
/etc/nsswitch.conf has boring entries for passwd/group/shadow:
passwd: compat ldap sss
group: compat ldap sss
shadow: compat sss
(ldap is still in there, but it isn't actually installed on the system any more)
Also, I doubt it matters (as I see the same behavior on other machines) but this machine—Haruhi—is also the master LDAP server, running OpenLDAP.
How do I configure SSSD to not strip out system users from LDAP groups?
Best Answer
This was enabled in sssd 1.9.5, by setting sssd.conf to include:
https://fedorahosted.org/sssd/wiki/Releases/Notes-1.9.5