LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Enterprise Linux Forums > Linux - Enterprise
User Name
Password
Linux - Enterprise This forum is for all items relating to using Linux in the Enterprise.

Notices

Reply
 
Search this Thread
Old 08-18-2011, 11:51 AM   #1
mwd
LQ Newbie
 
Registered: Jan 2003
Location: New Jersey, USA
Distribution: RedHat
Posts: 5

Rep: Reputation: 0
rhel6 sssd ldap for authentication and local files for userNumber (unix uid).


The University has ldap, however, they don't let
departments see the uidNumber (annoying yes).

I was wondering if there is a good way to setup sssd
to allow:
id_provider = files
auth_provider = ldap

It fails when I try this, I have also tried various proxy
examples.

nslcd.conf works fine with this setup, but I had to load
local username/userIDs on the systems (currently). But
may move to a internal LDAP for users and university LDAP
for authentication.

Any comments on how to set this up?

mark
 
Old 08-22-2011, 07:14 AM   #2
sgallagh
LQ Newbie
 
Registered: Mar 2011
Posts: 26

Rep: Reputation: 12
This is probably not going to work with SSSD. We make a fair number of assumptions in the LDAP authentication provider that it's paired with an LDAP identity provider.

I fail to understand why the university would not allow access to uidNumber in LDAP. This renders LDAP entirely useless on UNIX machines. Perhaps you should negotiate with the admins to allow uidNumber to be exposed if the client software is authenticated (rather than anonymous), and then you can configure your clients to use:

ldap_default_bind_dn = uid=username,cn=Users,cn=Accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = <your_password>

This way, if they have a valid (to their minds) reason for not exposing the uidNumber to anonymous access, they can at least do so for authenticated connections.

Also, it is strongly recommended that you should use either 'ldap_id_use_start_tls = true' or 'ldap_uri = ldaps://...' when performing an authenticated bind, so that your password cannot be sniffed.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RHEL6 using real rather than effective UID in sendmail MensaWater Linux - Software 3 08-11-2011 03:17 PM
Kerberos, LDAP, THEN Local authentication? cckid Linux - Server 2 10-20-2009 01:41 PM
LDAP authentication without local account viveksnv Linux - Security 2 10-12-2009 07:39 PM
LDAP authentication and flat files bx.s Linux - General 5 10-27-2006 04:18 AM
LDAP Authentication w/ Local User Information Adrian W Linux - Security 13 08-17-2004 11:09 AM


All times are GMT -5. The time now is 06:13 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration