Hi Pieter,
You may have a look there: https://bugster.forgerock.org/jira/browse/OPENDJ-521
--- Olivier
2013/10/31 Pieter Baele pieter.baele@gmail.com
Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source, but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN] ldap_id_use_start_tls = True ldap_schema = rfc2307bis ldap_search_base = dc=xyz id_provider = ldap access_provider = ldap ldap_access_filter = isMemberOf=zyx auth_provider = krb5 chpass_provider = krb5 ldap_uri = ldap://xyz cache_credentials = true sudo_provider = ldap ldap_sudo_search_base = ou=xyz ldap_netgroup_search_base = ou=xyz ldap_group_name = uniqueMember entry_cache_netgroup_timeout = 300 entry_cache_sudo_timeout = 300 ldap_sasl_mech = GSSAPI ldap_force_upper_case_realm = True ldap_krb5_keytab = /etc/krb5.keytab krb5_keytab = /etc/krb5.keytab krb5_realm = MSNET.RAILB.BE krb5_ccachedir = /tmp krb5_validate = True krb5_auth_timeout = 15 ldap_sasl_authid = HOSTNAME$@MSNET.RAILB.BE ldap_krb5_init_creds = true debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....
By default, OpenDJ makes a GSSAPI match based on regexp for UID.
But if I want to use objectClass ipHost/device, then cn is used instead of uid.
Any idea what is the nicest solution here?
SSO works perfect between Linux hosts also, but I can't succeed using Putty to use my Windows credentials/ticket to sign on to the sssd enabled hosts.
Sincerely, PieterB
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users