RSS feed

Re: AD group membership second method

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: AD group membership second method

On Tue, 2018-04-24 at 14:03 -0400, John Sopko wrote:
> Can someone give me the magic group filters and mappings in
> nslcd.conf so we can use regular AD group members instead of having
> to populate AD groups with memberUid? That is we would like to use
> the second method as noted below from the README. I understand there
> may be a performance hit. Thanks.

The sample nslcd.conf has two options for using AD as an LDAP server:
The two examples differ in whether the uidNumber and gidNumber
attributes are present.

If you have groups I think AD uses the member attribute which is
supported by nss-pam-ldapd as default mapping. This attribute used to
be uniqueMember by default in very old releases of nss-pam-ldapd. For
some versions of AD you may need to include the sAMAccountName as uid
attribute mapping.

Hope this helps,

-- arthur - - --
To unsubscribe send an email to or see