Hi,
We are trying to use Active Directory site discovery feature for our SSSD configurations. Our Domain Controllers are running on Windows 2016 / 2019 OS. We are not joining our Linux machines to AD Domain and use following sssd domain configurations.
[domain/default] auth_provider = krb5 cache_credentials = True chpass_provider = krb5 dns_discovery_domain = NORWAY._sites.AD.MYDOMAIN.COM debug_level = 7 enumerate = False id_provider = ldap krb5_realm = AD.MYDOMAIN.COM ldap_default_authtok = xxxx ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = xxxx ldap_schema = ad ldap_search_base = ou=base,dc=ad,dc=mydomain,dc=com use_fully_qualified_names = False ldap_id_mapping = True default_shell = /bin/bash ldap_tls_cacertdir = /etc/openldap/certs ldap_user_fullname = displayName ldap_user_gecos = displayName ldap_user_objectsid = objectSid ldap_group_objectsid = objectSid ldap_use_tokengroups = False ignore_group_members = true
Here with site discovery, it is able to find the nearest domain controller but it is trying to connect with LDAP server on port 389. Our domain controllers are only allowing connections on port 636 so the requests from linux servers are getting rejected.
If I directly configure domain controller names in ldap_uri settings like below and remove site discover configurations, everything is working fine. ldap_uri = ldaps://mydc.mydomain.com
But we don't want to hard code our domain controllers in configurations. Is there a way to use AD site discovery feature with ldaps?
Thanks for your time.
Regards, //Vjay
MS SRV records set up _ldap._tcp records only not _ldaps._tcp records. You can add _ldaps._tcp records manually and that should work.
Chris Paul Rex Consulting, Inc email: chris.paul@rexconsulting.net web: http://www.rexconsulting.net phone, toll-free: +1 (888) 403-8996 ext 1
On 8/28/20 3:19 AM, Vjay wrote:
Hi,
We are trying to use Active Directory site discovery feature for our SSSD configurations. Our Domain Controllers are running on Windows 2016 / 2019 OS. We are not joining our Linux machines to AD Domain and use following sssd domain configurations.
[domain/default] auth_provider = krb5 cache_credentials = True chpass_provider = krb5 dns_discovery_domain = NORWAY._sites.AD.MYDOMAIN.COM debug_level = 7 enumerate = False id_provider = ldap krb5_realm = https://urldefense.proofpoint.com/v2/url?u=http-3A__AD.MYDOMAIN.COM&d=Dw... ldap_default_authtok = xxxx ldap_default_authtok_type = obfuscated_password ldap_default_bind_dn = xxxx ldap_schema = ad ldap_search_base = ou=base,dc=ad,dc=mydomain,dc=com use_fully_qualified_names = False ldap_id_mapping = True default_shell = /bin/bash ldap_tls_cacertdir = /etc/openldap/certs ldap_user_fullname = displayName ldap_user_gecos = displayName ldap_user_objectsid = objectSid ldap_group_objectsid = objectSid ldap_use_tokengroups = False ignore_group_members = true
Here with site discovery, it is able to find the nearest domain controller but it is trying to connect with LDAP server on port 389. Our domain controllers are only allowing connections on port 636 so the requests from linux servers are getting rejected.
If I directly configure domain controller names in ldap_uri settings like below and remove site discover configurations, everything is working fine. ldap_uri = ldaps://mydc.mydomain.com
But we don't want to hard code our domain controllers in configurations. Is there a way to use AD site discovery feature with ldaps?
Thanks for your time.
Regards, //Vjay _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us1.proofpointessentials.com/index01.php?mod_id=11&mod_option=lo...
Hi Chris,
Thanks for your reply. Yes we have configured that in test environment and this is what we were looking for.
On Mon, Aug 31, 2020 at 09:42:03AM -0000, Vjay wrote:
Hi Chris,
Thanks for your reply. Yes we have configured that in test environment and this is what we were looking for.
Hi,
glad to hear it is working for you and thanks Chris for the suggestion.
Just to make sure this will work for others reading this thread I guess you have added
ldap_dns_service_name = ldaps
to sssd.conf to make sure SSSD is using '_ldaps._tcp....' instead of the default '_ldap._tcp....' for the DNS SRV requests.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org