Hello everyone,

I made a configuration where I use Active Directory Kerberos as authentication source,
but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....

I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....

Basically, this is my sssd.conf:

ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=xyz
id_provider = ldap
access_provider = ldap
ldap_access_filter = isMemberOf=zyx
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xyz
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=xyz
ldap_netgroup_search_base = ou=xyz
ldap_group_name = uniqueMember
entry_cache_netgroup_timeout = 300
entry_cache_sudo_timeout = 300
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = True
ldap_krb5_keytab = /etc/krb5.keytab
krb5_keytab = /etc/krb5.keytab
krb5_realm = MSNET.RAILB.BE
krb5_ccachedir = /tmp
krb5_validate = True
krb5_auth_timeout = 15
ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE
ldap_krb5_init_creds = true
debug_level = 5

I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....

By default, OpenDJ makes a GSSAPI match based on regexp for UID.

But if I want to use objectClass ipHost/device, then cn is used instead of uid.

Any idea what is the nicest solution here?

SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.

Sincerely, PieterB