Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote:
Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
Sorry, I'm not quite sure what the problem is? Do you need to look up this special entry with cn instead of uid ?
On 10/31/2013 02:46 PM, Jakub Hrozek wrote:
On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote:
Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
Sorry, I'm not quite sure what the problem is? Do you need to look up this special entry with cn instead of uid ?
I did not comment because I thought it was just me who it confused. It seems that there is some sort of OpenDJ problem, limitation or config issue. I do not think we quite understand the problem and how we can help.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Pieter,
You may have a look there: https://bugster.forgerock.org/jira/browse/OPENDJ-521
--- Olivier
2013/10/31 Pieter Baele pieter.baele@gmail.com
Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org