This is probably not going to work with SSSD. We make a fair number of assumptions in the LDAP authentication provider that it's paired with an LDAP identity provider.
I fail to understand why the university would not allow access to uidNumber in LDAP. This renders LDAP entirely useless on UNIX machines. Perhaps you should negotiate with the admins to allow uidNumber to be exposed if the client software is authenticated (rather than anonymous), and then you can configure your clients to use:
ldap_default_bind_dn = uid=username,cn=Users,cn=Accounts,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = <your_password>
This way, if they have a valid (to their minds) reason for not exposing the uidNumber to anonymous access, they can at least do so for authenticated connections.
Also, it is strongly recommended that you should use either 'ldap_id_use_start_tls = true' or 'ldap_uri = ldaps://...' when performing an authenticated bind, so that your password cannot be sniffed.
|