HI!
Is it possible to have a auth-only domain in sssd.conf?
Something like this:
[domain/LDAP-ID] id_provider = ldap ldap_search_base = ou=stuff,dc=mydomain,dc=org ...
[domain/LDAP-AUTHC] auth_provider = ldap ldap_search_base = ou=virtual,dc=mydomain,dc=org ...
The idea is to let sssd search the map data beneath naming context ou=stuff,dc=mydomain,dc=org but use ou=authc-virtual,dc=mydomain,dc=org only for authentication via LDAP simple bind with a hard-coded pattern like:
bind DN: uid=$user,ou=virtual,dc=mydomain,dc=org
Note that user name would be the same in both naming contexts.
So sssd would not have to search in ou=virtual,dc=mydomain,dc=org to make use of it.
Ciao, Michael.
On Mon, Sep 21, 2015 at 07:48:13PM +0200, Michael Ströder wrote:
HI!
Is it possible to have a auth-only domain in sssd.conf?
Something like this:
[domain/LDAP-ID] id_provider = ldap ldap_search_base = ou=stuff,dc=mydomain,dc=org ...
[domain/LDAP-AUTHC] auth_provider = ldap ldap_search_base = ou=virtual,dc=mydomain,dc=org ...
The idea is to let sssd search the map data beneath naming context ou=stuff,dc=mydomain,dc=org but use ou=authc-virtual,dc=mydomain,dc=org only for authentication via LDAP simple bind with a hard-coded pattern like:
bind DN: uid=$user,ou=virtual,dc=mydomain,dc=org
Note that user name would be the same in both naming contexts.
So sssd would not have to search in ou=virtual,dc=mydomain,dc=org to make use of it.
Ciao, Michael.
Currently, this is not possible, or at least not easy. SSSD actually tries to match the identity and authentication objects 1:1 -- so when an object is retrieved, its originalDN is cached and later the password bind (that actually verifies the password) searches the originalDN using the user's credentials.
What could maybe work (although I haven't tested that at all) is a combination of proxy for id and ldap for auth: id_provider = proxy proxy_lib_name = ldap # Or any other, the point is to make sure we only use NSS calls to retrieve identity data auth_provider = ldap ldap_search_base = ou=virtual,dc=mydomain,dc=org
Then, during identity request, SSSD would just proxy getpwnam to the proxy_lib_name library, which would result in cached entries having no originalDN. As a consequence, authentication code would search the entry in the search base from the only 'native' provider which is auth_provider=ldap.
sssd-users@lists.fedorahosted.org