Hello.
I'm using a LDAP server for authentication/identification of users. I've set its ACIs so that every user just can access to its own data But now I have a problem in sssd clients: I should put the correct ldap_default_bind_dn value to make the request, a value which should be dynamic as it's typed on gdm/login/ssh/whatever. How can I do that? I don't want to write the admin's cn (and password!) in client's sssd.conf files! Thanks!!
P.S: I've asked the same topic in https://serverfault.com/questions/993030/how-to-have-a-dynamic-ldap-default-... but sadly there's no answer....
On Sun, Nov 24, 2019 at 06:07:06PM -0000, Oscar Torrente wrote:
Hello.
I'm using a LDAP server for authentication/identification of users. I've set its ACIs so that every user just can access to its own data But now I have a problem in sssd clients: I should put the correct ldap_default_bind_dn value to make the request, a value which should be dynamic as it's typed on gdm/login/ssh/whatever. How can I do that? I don't want to write the admin's cn (and password!) in client's sssd.conf files!
Hi,
this won't work mainly because e.g. sshd will try to lookup the user in LDAP before you are prompted for the password and if the user cannot be found authentication will fail.
You do no have to use the admin DN here, it would be sufficient to have a service account which can read the needed RFC2307 or RFC2307bis attributes from the users and groups.
bye, Sumit
Thanks!!
P.S: I've asked the same topic in https://serverfault.com/questions/993030/how-to-have-a-dynamic-ldap-default-... but sadly there's no answer.... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Ok. So what you suggest is applying an ACI to all needed attributes for all users/groups nodes in LDAP directory to give this special account the read permission over them , isn't? I should obfuscate its password in sssd.conf file, though, but it makes sense. Thanks a lot!!
On the 2019-11-25 at 11:41 Oscar Torrente wrote:
Ok. So what you suggest is applying an ACI to all needed attributes for all users/groups nodes in LDAP directory to give this special account the read permission over them , isn't? I should obfuscate its password in sssd.conf file, though, but it makes sense. Thanks a lot!!
I'm in the same boat. Though, I was able to help myself by setting up a special "no permissions" user that has only read access to all the hidden LDAP-users. With the help of this special account and this patch ( https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg06876.html ). I was able to use the existing ldap_default_bind_dn and ldap_default_authtok property to do the user discovery.... and with this everything just worked.
Regards, Christian
On Fri, Dec 06, 2019 at 01:11:26PM +0100, Christian Lamparter wrote:
On the 2019-11-25 at 11:41 Oscar Torrente wrote:
Ok. So what you suggest is applying an ACI to all needed attributes for all users/groups nodes in LDAP directory to give this special account the read permission over them , isn't? I should obfuscate its password in sssd.conf file, though, but it makes sense. Thanks a lot!!
I'm in the same boat. Though, I was able to help myself by setting up a special "no permissions" user that has only read access to all the hidden LDAP-users. With the help of this special account and this patch ( https://www.mail-archive.com/sssd-users@lists.fedorahosted.org/msg06876.html ). I was able to use the existing ldap_default_bind_dn and ldap_default_authtok property to do the user discovery.... and with this everything just worked.
Hi,
thanks for making me aware of this patch. I was thinking about a similar issue recently. It is currently not possible with the configuration scheme SSSD is using to unset an option. As a result if ldap_sasl_mech is set to a default value by a provider it cannot be unset.
My idea is to define a special keyword like e.g. 'SSSD_NO_SASL_MECH' which can be used with ldap_sasl_mech to make sure that SASL is not used.
Do you think this would work for you as well?
bye, Sumit
Regards, Christian _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org