On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote:
Hello everyone,
I made a configuration where I use Active Directory Kerberos as
authentication source,
but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or
ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN]
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=xyz
id_provider = ldap
access_provider = ldap
ldap_access_filter = isMemberOf=zyx
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xyz
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=xyz
ldap_netgroup_search_base = ou=xyz
ldap_group_name = uniqueMember
entry_cache_netgroup_timeout = 300
entry_cache_sudo_timeout = 300
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = True
ldap_krb5_keytab = /etc/krb5.keytab
krb5_keytab = /etc/krb5.keytab
krb5_realm = MSNET.RAILB.BE
krb5_ccachedir = /tmp
krb5_validate = True
krb5_auth_timeout = 15
ldap_sasl_authid = HOSTNAME$(a)MSNET.RAILB.BE
ldap_krb5_init_creds = true
debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my
LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of
uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty
to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
Sorry, I'm not quite sure what the problem is? Do you need to look up
this special entry with cn instead of uid ?