LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Enterprise (http://www.linuxquestions.org/questions/linux-enterprise-47/)
-   -   rhel6 sssd ldap for authentication and local files for userNumber (unix uid). (http://www.linuxquestions.org/questions/linux-enterprise-47/rhel6-sssd-ldap-for-authentication-and-local-files-for-usernumber-unix-uid-898103/)

mwd 08-18-2011 11:51 AM

rhel6 sssd ldap for authentication and local files for userNumber (unix uid).
 
The University has ldap, however, they don't let
departments see the uidNumber (annoying yes).

I was wondering if there is a good way to setup sssd
to allow:
id_provider = files
auth_provider = ldap

It fails when I try this, I have also tried various proxy
examples.

nslcd.conf works fine with this setup, but I had to load
local username/userIDs on the systems (currently). But
may move to a internal LDAP for users and university LDAP
for authentication.

Any comments on how to set this up?

mark

sgallagh 08-22-2011 07:14 AM

This is probably not going to work with SSSD. We make a fair number of assumptions in the LDAP authentication provider that it's paired with an LDAP identity provider.

I fail to understand why the university would not allow access to uidNumber in LDAP. This renders LDAP entirely useless on UNIX machines. Perhaps you should negotiate with the admins to allow uidNumber to be exposed if the client software is authenticated (rather than anonymous), and then you can configure your clients to use:

ldap_default_bind_dn = uid=username,cn=Users,cn=Accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = <your_password>

This way, if they have a valid (to their minds) reason for not exposing the uidNumber to anonymous access, they can at least do so for authenticated connections.

Also, it is strongly recommended that you should use either 'ldap_id_use_start_tls = true' or 'ldap_uri = ldaps://...' when performing an authenticated bind, so that your password cannot be sniffed.


All times are GMT -5. The time now is 02:22 AM.