RSS feed

Re: AD group membership second method

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: AD group membership second method

So below is my config based on the example AD config. It was not
seeing the group members unless we populated the memberUid attribute
in AD. But just so happens our AD servers were upgraded to Windows
2016 server this weekend and now the filter group is working with just
the normal ad member attribute. That is we do not have to populate the
member Uid. Thanks for your response.

pagesize 1000
referrals off
idle_timelimit 800
filter passwd 
map    passwd gecos            displayName
filter group  (objectClass=group)

On Mon, Apr 30, 2018 at 2:14 PM, Arthur de Jong <> wrote:
> On Tue, 2018-04-24 at 14:03 -0400, John Sopko wrote:
>> Can someone give me the magic group filters and mappings in
>> nslcd.conf so we can use regular AD group members instead of having
>> to populate AD groups with memberUid? That is we would like to use
>> the second method as noted below from the README. I understand there
>> may be a performance hit. Thanks.
> The sample nslcd.conf has two options for using AD as an LDAP server:
> The two examples differ in whether the uidNumber and gidNumber
> attributes are present.
> If you have groups I think AD uses the member attribute which is
> supported by nss-pam-ldapd as default mapping. This attribute used to
> be uniqueMember by default in very old releases of nss-pam-ldapd. For
> some versions of AD you may need to include the sAMAccountName as uid
> attribute mapping.
> Hope this helps,
> --
> -- arthur - - --

John W. Sopko Jr.
University of North Carolina
Computer Science Dept CB 3175
Chapel Hill, NC 27599-3175

Fred Brooks Building; Room 140
Computer Services Systems Specialist
email: sopko AT
phone: 919-590-6144
To unsubscribe send an email to or see