Re: [SSSD-users] SSSD with id_provider ldap and auth_provider krb5-ad

Hello everyone, I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc.... I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved.... Basically, this is my sssd.conf: [domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$(a)MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5 I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account.... By default, OpenDJ makes a GSSAPI match based on regexp for UID. But if I want to use objectClass ipHost/device, then cn is used instead of uid. Any idea what is the nicest solution here? SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts. Sincerely, PieterB