andreboscatto
commented
1 year ago @desparatesysadmin thanks for digging it further and sharing. We will work on that to include into the documentation.
Open desparatesysadmin opened 1 year ago
andreboscatto
commented
1 year ago @desparatesysadmin thanks for digging it further and sharing. We will work on that to include into the documentation.
alexey-tikhonov
commented
1 year ago There is a note in man sss-certmap
Please note that the characters "^.[$()|*+?{\" have a special meaning in regular expressions and must be escaped with the help of the '\' character so that they are matched as ordinary characters.-- would be good to have similar note in 'sssd-ldap' man page.
desparatesysadmin
commented
1 year ago so I am sure the \ followed by the special character didn't work for me either. Had to specifically use the UTF encoding. But will have to retest this to confirm since its been a while now.
So when defining ad_accessfilter, if the security group name have a parenthesis - Administrative Accounts (a)_ -, SSSD fails to apply the filter with the following error messages.
A lot of forums and instructions suggest to verify your filter by using ldapsearch command with the ldap filter shown in the log. ldapsearch and aduc advanced/custom search are able to get successful results using the ldap filter from the log.
filter showing in sssd log
(2023-04-12 22:34:43): [be[domain.org]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=useracc)(objectclass=user)(memberOf=CN=Administrative Accounts (a),OU=_Admin Accounts,DC=domain,DC=org))][CN=User Account (a),OU=_Admin Accounts,DC=domain,DC=org].SOLUTION: Escaping parenthesis for CN's.
Working configuration
Non working configuration
I've spent weeks trying to get to the bottom of it and hopefully this helps someone.