The use of token groups is known to be causing issues with group memberships1:
After selecting a custom ldap_search_base, the group membership no longer displays correctly.
If you use a non-standard LDAP search bases, please disable the TokenGroups performance enhancement by setting ldap_use_tokengroups=False. Otherwise, the AD provider would receive the group membership via a special call that is not restricted by the custom search base which causes unpredictable results
Typically, users configure a custom ldap_search_base to limit the groups the user is a member of. Please see [this blog post](https://jhrozek.wordpress.com/2016/12/09/restrict-the-set-of-groups-the-user-is-a-member-of-with-sssd/)formoreinformationonthesubject).
We had several issues where the root cause was attributed to this. It would be nice to raise an issue when "sssd-ad" is present in the environment and the "ldap_use_tokengroups" option is set to "true".
The use of token groups is known to be causing issues with group memberships1:
We had several issues where the root cause was attributed to this. It would be nice to raise an issue when "sssd-ad" is present in the environment and the "ldap_use_tokengroups" option is set to "true".