Hi, this is my first post to this group, I hope someone can help me.
I'm interested to map ID mapping and authentication from a LDAP Server in a CentOS 6.5 box. The LDAP Server (running IBM TDS afaik) is managed by a third party provider, so I just can make queries but not modifications.
I noted that there's no posixAccount objectClass in LDAP users, so I wonder, How can I integrate those users using SSSD? This is an example of my domain:
[domain/custom.domain.com] id_provider = ldap auth_providers = ldap chpass_provider = ldap ldap_uri = ldaps://directory.domain.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt #ldap_search_base = "" ldap_id_use_start_tls = true cache_credentials = false enumerate = false use_fully_qualified_names = false #ldap_user_name = notesShortName
As you can see, I tried to use "ldap_user_name" but without luck. I'm concerned about entries that don't exist on the LDAP server like homeDirectory or loginShell. Can SSSD deal with those attributes not present?
I like to use just the credentials (user authentication) from the LDAP server to get my users logged in my linux box.
I hope someone understand this scenario and can be able to help me.
Thanks in advance.
Try man sssd-ldap
& things like ldap_user_object_class etc.... Simply yes, sssd supports custom attribute mapping.
O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jason Voorhees [jvoorhees1@gmail.com] Sent: Wednesday, December 18, 2013 10:25 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] How to deal with non rfc2307 compliant schemas? (without posixAccount)
Hi, this is my first post to this group, I hope someone can help me.
I'm interested to map ID mapping and authentication from a LDAP Server in a CentOS 6.5 box. The LDAP Server (running IBM TDS afaik) is managed by a third party provider, so I just can make queries but not modifications.
I noted that there's no posixAccount objectClass in LDAP users, so I wonder, How can I integrate those users using SSSD? This is an example of my domain:
[domain/custom.domain.com] id_provider = ldap auth_providers = ldap chpass_provider = ldap ldap_uri = ldaps://directory.domain.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt #ldap_search_base = "" ldap_id_use_start_tls = true cache_credentials = false enumerate = false use_fully_qualified_names = false #ldap_user_name = notesShortName
As you can see, I tried to use "ldap_user_name" but without luck. I'm concerned about entries that don't exist on the LDAP server like homeDirectory or loginShell. Can SSSD deal with those attributes not present?
I like to use just the credentials (user authentication) from the LDAP server to get my users logged in my linux box.
I hope someone understand this scenario and can be able to help me.
Thanks in advance. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thanks for your reply.
I though something like that, but I have some questions:
- What schema should I do mapping with? There are schemas like person, organizationalPerson, xxxPerson, but there's no schema that looks similar to posixAccount. - There are no attributes like loginShell nor homeDirectory in the schemas of this 3rd party LDAP Server. Can SSSD allow users login without those attributes?
On Wed, Dec 18, 2013 at 4:31 PM, Ondrej Valousek ovalousek@vendavo.com wrote:
Try man sssd-ldap
& things like ldap_user_object_class etc.... Simply yes, sssd supports custom attribute mapping.
O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jason Voorhees [jvoorhees1@gmail.com] Sent: Wednesday, December 18, 2013 10:25 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] How to deal with non rfc2307 compliant schemas? (without posixAccount)
Hi, this is my first post to this group, I hope someone can help me.
I'm interested to map ID mapping and authentication from a LDAP Server in a CentOS 6.5 box. The LDAP Server (running IBM TDS afaik) is managed by a third party provider, so I just can make queries but not modifications.
I noted that there's no posixAccount objectClass in LDAP users, so I wonder, How can I integrate those users using SSSD? This is an example of my domain:
[domain/custom.domain.com] id_provider = ldap auth_providers = ldap chpass_provider = ldap ldap_uri = ldaps://directory.domain.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt #ldap_search_base = "" ldap_id_use_start_tls = true cache_credentials = false enumerate = false use_fully_qualified_names = false #ldap_user_name = notesShortName
As you can see, I tried to use "ldap_user_name" but without luck. I'm concerned about entries that don't exist on the LDAP server like homeDirectory or loginShell. Can SSSD deal with those attributes not present?
I like to use just the credentials (user authentication) from the LDAP server to get my users logged in my linux box.
I hope someone understand this scenario and can be able to help me.
Thanks in advance. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Dec 18, 2013 at 04:25:22PM -0500, Jason Voorhees wrote:
Hi, this is my first post to this group, I hope someone can help me.
I'm interested to map ID mapping and authentication from a LDAP Server in a CentOS 6.5 box. The LDAP Server (running IBM TDS afaik) is managed by a third party provider, so I just can make queries but not modifications.
I noted that there's no posixAccount objectClass in LDAP users, so I wonder, How can I integrate those users using SSSD? This is an example of my domain:
[domain/custom.domain.com] id_provider = ldap auth_providers = ldap chpass_provider = ldap ldap_uri = ldaps://directory.domain.com ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt #ldap_search_base = "" ldap_id_use_start_tls = true cache_credentials = false enumerate = false use_fully_qualified_names = false #ldap_user_name = notesShortName
As you can see, I tried to use "ldap_user_name" but without luck. I'm concerned about entries that don't exist on the LDAP server like homeDirectory or loginShell. Can SSSD deal with those attributes not present?
I like to use just the credentials (user authentication) from the LDAP server to get my users logged in my linux box.
I hope someone understand this scenario and can be able to help me.
Thanks in advance.
Hi Jason,
I think we need a little more information. Can you post a result of an ldapsearch of a sample user (feel free to rename and obfuscate the entry).
In general, the posixAccount objectclass is not a hard requirement, but at present, the users must either have a unique numeric ID or have a windows SID to map the ID from.
Shell and home directory can be overriden on the client as well as primary GID number. The user ID, however, must either be present or mapped.
Hi Jason,
I think we need a little more information. Can you post a result of an ldapsearch of a sample user (feel free to rename and obfuscate the entry).
Thanks, that's a good idea. The contents of an example entry are here:
In general, the posixAccount objectclass is not a hard requirement, but at present, the users must either have a unique numeric ID or have a windows SID to map the ID from.
As you can see, the 'uid' attribute has a alpha-numeric value. Could this be an issue?
On Wed, Dec 18, 2013 at 04:49:51PM -0500, Jason Voorhees wrote:
Hi Jason,
I think we need a little more information. Can you post a result of an ldapsearch of a sample user (feel free to rename and obfuscate the entry).
Thanks, that's a good idea. The contents of an example entry are here:
Thanks, that's very helpful.
In general, the posixAccount objectclass is not a hard requirement, but at present, the users must either have a unique numeric ID or have a windows SID to map the ID from.
As you can see, the 'uid' attribute has a alpha-numeric value. Could this be an issue?
Unfortunately, yes, that's an issue.
The user ID must be a 32bit unsigned integer on a POSIX system. I don't see any attribute with the user entry that could be (ab)used as a user ID, sorry. I'm afraid one would need to be added on the LDAP side..
Unfortunately, yes, that's an issue.
The user ID must be a 32bit unsigned integer on a POSIX system. I don't see any attribute with the user entry that could be (ab)used as a user ID, sorry. I'm afraid one would need to be added on the LDAP side..
I'm sad about that :(
Is there a way to remove the leading 'P' that is leading in the 'uid' attribute so I can use the numeric value?
On 12/18/2013 05:37 PM, Jason Voorhees wrote:
Unfortunately, yes, that's an issue.
The user ID must be a 32bit unsigned integer on a POSIX system. I don't see any attribute with the user entry that could be (ab)used as a user ID, sorry. I'm afraid one would need to be added on the LDAP side..
I'm sad about that :(
Is there a way to remove the leading 'P' that is leading in the 'uid' attribute so I can use the numeric value? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
AFAIU since you can't touch the server you can't do it with the stock SSSD. I see couple options here:
1) Add custom code to SSSD to transform the select UID into numeric ID. This should be a generic enough solution to have value for use cases like this in general to be accepted upstream. Patches welcome! 2) Use custom fix for SSSD and do custom build. This will leave you with the maintenance overhead but this is for you to decide whether it is worth it. 3) Setup a "proxy" ldap server using 389 or openLDAP this server will either sync or proxy to the server you have. This server can be controlled by you and there you can map things the way you want using native LDAP server capabilities or developing you own DS plugin that would do what you need.
HTH
AFAIU since you can't touch the server you can't do it with the stock SSSD. I see couple options here:
- Add custom code to SSSD to transform the select UID into numeric ID.
This should be a generic enough solution to have value for use cases like this in general to be accepted upstream. Patches welcome! 2) Use custom fix for SSSD and do custom build. This will leave you with the maintenance overhead but this is for you to decide whether it is worth it. 3) Setup a "proxy" ldap server using 389 or openLDAP this server will either sync or proxy to the server you have. This server can be controlled by you and there you can map things the way you want using native LDAP server capabilities or developing you own DS plugin that would do what you need.
Thanks a lot. Third option could be the most appropiate for my scenario. I'll give it a try.
Bye :)
HTH
-- Thank you, Dmitri Pal
Sr. Engineering Manager for IdM portfolio Red Hat Inc.
Looking to carve out IT costs? www.redhat.com/carveoutcosts/
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Dmitri Pal -
Jakub Hrozek -
Jason Voorhees -
Ondrej Valousek