On 10 Aug 2018, at 02:29, Andre Piwoni <apiwoni(a)webmd.net>
wrote:
Hi Jakub,
Here's my use case:
I'm running Pgpool-II mainly for load balancing requests to PostgreSQL
servers. While PgPool-II supports LDAP(AD) or GSSAPI/Kerberos, which I
have working, I need PgPool authentication which supports LDAP(AD) via
PAM module. PostgreSQL authorization does not utilize LDAP(AD) but
database permissions so LDAP(AD) memberships etc. are not needed.
cat vi /etc/pam.d/pgpool
#%PAM-1.0
auth required pam_sss.so
account required pam_sss.so
In addition to auth_provider now I have configured id_provider to be
LDAP and I managed to get things to work after setting ldap_id_mapping
= true. I'm trying to avoid to join domain which is why I'm using LDAP
for AD.
One thing that I had to do was to configure ldap_default_bind_dn and
ldap_default_authtok, which sucks because I don't want to expose
password for some admin account in file. I should be able to get basic
info about user using provided credentials using simple non-anonymous
bind as I've done in other projects.
I’m not sure this is permitted by AD by default. I think AD requires you to authenticate
in one way or another.
What is odd is that search queries are performed first and than PAM
Authentication with simple bind is done last.
In addition, amount of LDAP queries for my simple case is excessive.
5 LDAP queries on objectClass=group for memberships even though I set
ldap_group_nesting_level = 0. I have my memberships in memberOf
attribute.
This might be
https://pagure.io/SSSD/sssd/issue/3425 ?
1 LDAP query on objectClass=group for ObjectSID
1 LDAP query for my user info
2 LDAP queries for other stuff on objectClass=*
Is there a way to avoid using ldap_default_bind_dn and
ldap_default_authtok for LDAP?
For generic LDAP yes, as a matter of fact, this is the default, but the client can only do
what the server allows it to do.
If so, does it mean that user to be
authenticated has to have enough permissions to do searches in AD via
LDAP?
Thank you,
Andre
On Thu, Aug 9, 2018 at 1:19 PM Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>
> On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote:
>> There does not seem to be much documentation how to make
>> authentication work without any extras. All I need is a simple
>> non-anonymous bind using provided credentials without any searches. My
>> understanding is that I don't need NSS for this only PAM with
>> auth_provider set to ldap. However, without id_provider set in
>> sssd.conf SSSD does not start at all. This has been reported as a bug
>> and supposedly have been fixed before SSSD 1.16.0 version that I'm
>> using. I have tried to set id_provider to none but I'm getting some
>> indications in logs that id provider is needed. Is it possible to do
>> simple non-anonymous bind without anything extra, not even chpass?
>
> I'm not sure this is possible. One of the core design decisions of SSSD
> was that a domain ties authentication and identity source -- so you do
> need an id_provider to fetch the identity from somewhere.
>
> That somewhere might not be the same server or not a remote server at
> all, there is also the proxy id_provider that is able to wrap any nss
> module, but there needs to be some ID provider.
>
> What is the use-case you are trying to solve?
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
--
Andre Piwoni
Sr. Software Developer, BI/Database
WebMD Health Services
Mobile: 801.541.4722
www.webmdhealthservices.com
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...