On Mon, Apr 20, 2020 at 08:39:33PM -0000, Michael Dahlberg wrote:

I'm attempting to setup SSSD using AD as the id provider. All the documentation that I've found results in the linux system joining the AD domain when configuring sssd in this manner. I would like to configure sssd running on RHEL to just do authorization (access_provider) against the AD domain and *not* actually join the AD

Hi,

based on which information do you want to do the access control? Group-memberships?

AD requires authentication, so if you want to read something from AD you need credentials. Typically you get them during the join, but you can use a service account as well and use 'ldap_default_bind_dn' and 'ldap_default_authtok' (see man sssd-ldap for details).

domain. I assume that this would mean I should not set "access_provider = ad". Instead should this value be set to ldap?

If I configure sssd to use LDAP as the access provider, how would I address the Active Directory domain ad.example.com using the "ldap://" notation? Would there be any other changes that I would need to

I would recommend to not set 'ldap_uri' at all, in this case SSSD will use DNS SRV lookups to find LDAP servers in you domain. You might need the 'dns_discovery_domain' option (see man ssssd.conf) if the domain name given in the [domain/your.domain.name] section header does not match the name of the AD domain.

HTH

bye, Sumit

address in the sssd.conf examples that use ldap as the access provider? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...