Another SSSD Gotcha! ldap_group_nesting_level!
So I ran into another SSSD gotcha specifically with nested groups with Active Directory LDAP. This issue manifested itself as my user id along with others being members of a group that we should not have been members of. So you say how can this be corrected with SSSD. Well SSSD has a parameter called: ldap_group_nesting_level. It’s default value is 2 so it will nest down 2 levels. Answer set this to 0 and stop SSSD and purge /var/lib/sss/db/* files. Restart SSSD and the nested group information will be purged.
If ldap_schema is set to a schema format that supports nested groups (e.g. RFC2307bis), then this option controls how many levels of nesting SSSD will follow. This option has no effect on the RFC2307 schema.
Note: This option specifies the guaranteed level of nested groups to be processed for any lookup. However, nested groups beyond this limit may be returned if previous lookups already resolved the deeper nesting levels. Also, subsequent lookups for other groups may enlarge the result set for original lookup if re-queried.
If ldap_group_nesting_level is set to 0 then no nested groups are processed at all. However, when connected to Active-Directory Server 2008 and later using “id_provider=ad” it is furthermore required to disable usage of Token-Groups by setting ldap_use_tokengroups to false in order to restrict group nesting.