On Fri, Dec 06, 2019 at 10:26:13AM -0000, Jasper Siepkes wrote:
Hi all!
As far as I can tell the option 'ldap_sasl_mech = gssapi' in sssd.conf always makes LDAP use a Kerberos keytab for LDAP searches. As far as I can tell there is no way to use the users Kerberos credentials? I think this design comes from how Windows does it with AD?
I would like to use the Kerberos credentials of the user who has just logged-in instead. Maybe I'm somewhat paranoid or missing something but I'm not really comfortable with hundreds of hosts / machines with keytabs on them which give access to LDAP. Extracting that keytab from a machine is not that hard I think. I think in most use-cases the user only needs to be able to see LDAP entries (ie. other users with privacy sensitive information like names and other GDPR problematic data) which LDAP ACI's allow them.
Is there currently a way to configure SSSD in such a way?
Hi,
there was a similar question recently at https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted....
To cut it short, this is not possible because many login programs need to information about the user before the password or other credentials are available.
bye, Sumit
Kind regards,
Jasper _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...