LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices



Reply
 
Search this Thread
Old 08-18-2011, 12:51 PM   #1
mwd
LQ Newbie
 
Registered: Jan 2003
Location: New Jersey, USA
Distribution: RedHat
Posts: 5

Rep: Reputation: 0
rhel6 sssd ldap for authentication and local files for userNumber (unix uid).


The University has ldap, however, they don't let
departments see the uidNumber (annoying yes).

I was wondering if there is a good way to setup sssd
to allow:
id_provider = files
auth_provider = ldap

It fails when I try this, I have also tried various proxy
examples.

nslcd.conf works fine with this setup, but I had to load
local username/userIDs on the systems (currently). But
may move to a internal LDAP for users and university LDAP
for authentication.

Any comments on how to set this up?

mark
 
Old 08-22-2011, 08:14 AM   #2
sgallagh
LQ Newbie
 
Registered: Mar 2011
Posts: 26

Rep: Reputation: 13
This is probably not going to work with SSSD. We make a fair number of assumptions in the LDAP authentication provider that it's paired with an LDAP identity provider.

I fail to understand why the university would not allow access to uidNumber in LDAP. This renders LDAP entirely useless on UNIX machines. Perhaps you should negotiate with the admins to allow uidNumber to be exposed if the client software is authenticated (rather than anonymous), and then you can configure your clients to use:

ldap_default_bind_dn = uid=username,cn=Users,cn=Accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = <your_password>

This way, if they have a valid (to their minds) reason for not exposing the uidNumber to anonymous access, they can at least do so for authenticated connections.

Also, it is strongly recommended that you should use either 'ldap_id_use_start_tls = true' or 'ldap_uri = ldaps://...' when performing an authenticated bind, so that your password cannot be sniffed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL6 using real rather than effective UID in sendmail MensaWater Linux - Software 3 08-11-2011 04:17 PM
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 02:41 PM
LDAP authentication without local account viveksnv Linux - Security 2 10-12-2009 08:39 PM
LDAP authentication and flat files bx.s Linux - General 5 10-27-2006 05:18 AM
LDAP Authentication w/ Local User Information Adrian W Linux - Security 13 08-17-2004 12:09 PM


All times are GMT -5. The time now is 04:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration