000036300 - RSA PAM Authentication Agent cannot challenge users in Active Directory groups

Document created by RSA Customer Support Employee on May 19, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036300
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
RSA Version/Condition: 7.1.x
Platform: Linux
IssueLDAP / Active Directory groups need to be challenged/unchallenged from the RSA PAM module, but PAM can't resolve these users.
CauseThe issue occurs because the getgrent() system call never returns the group entry.
ResolutionTo resolve the issue, edit the /etc/sssd/sssd.conf file to include the line below.

enumerate = true
NotesYou may need to set the nesting level in the /etc/sssd/sssd.conf file to appear as shown below.

ldap_group_nesting_level = 2