Thanks!
This is very interesting!
I was able to use the above settings and this solved my password
expiration problem with ldap and IPA.
e.g.
[domain/LDAP]
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
ldap_schema = IPA
krb5_realm =
EXAMPLE.NET
krb5_server =
ipa-1b.ec2.example.net,
ipa-1.example.net
ldap_uri =
ldaps://ipa-1b.ec2.example.net,
ldaps://ipa-1.example.net
ldap_user_search_base = dc=example,dc=net
ldap_id_use_start_tls = true
tls_reqcert = demand
ldap_tls_cacert = /etc/ipa/ca.crt
ldap_user_ssh_public_key = ipaSshPubKey
It is unclear if I need all the above settings since its a mix of
ldap and krb5?
Without a keytab validation is not possible, that's not ideal.
So the above does seem to work, but other than its not a full Kerberos
setup, what is "not ideal" about the setup?
I am still looking at the sudo options now.
Thanks so much for the suggestions! Very helpful!
On Thu, Aug 28, 2014 at 5:06 PM, Simo Sorce <simo(a)redhat.com> wrote:
> On Thu, 2014-08-28 at 22:28 +0200, Lukas Slebodnik wrote:
>> >So far this is working fine, with a minor issue around password
>> >expiration (a known issue).
>> >NOTE: The IPA server does not keep a list of hosts since we are not
>> >using the ipa-client / kerberos setup.
>> 1. you needn't register machine with ipa-client install (obtain
>> keytab)
>> if you want to use auth_provider krb5 and chpass_provider krb5
>> e.g.
>>
>> auth_provider = krb5
>> chpass_provider = krb5
>> krb5_realm = IPA.EXAMPLE.TEST
>> krb5_server = ipa-host.ipa.example.test
>
Without a keytab validation is not possible, that's not ideal.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users