I'm attempting to setup SSSD using AD as the id provider. All the documentation that I've found results in the linux system joining the AD domain when configuring sssd in this manner. I would like to configure sssd running on RHEL to just do authorization (access_provider) against the AD domain and *not* actually join the AD domain. I assume that this would mean I should not set "access_provider = ad". Instead should this value be set to ldap?
If I configure sssd to use LDAP as the access provider, how would I address the Active Directory domain ad.example.com using the "ldap://" notation? Would there be any other changes that I would need to address in the sssd.conf examples that use ldap as the access provider?
You have to join AD in order to perform authorization tasks, bcs otherwise sssd has no way how to communicate with AD. If you only want to use AD to authenticate local users, then no join is indeed necessary, but then there is no need for sssd, just need to configure Kerberos.
-----Original Message----- From: Michael Dahlberg dahlberg@recursoft.org Sent: Monday, April 20, 2020 10:40 PM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] ID provider AD vs LDAP
I'm attempting to setup SSSD using AD as the id provider. All the documentation that I've found results in the linux system joining the AD domain when configuring sssd in this manner. I would like to configure sssd running on RHEL to just do authorization (access_provider) against the AD domain and *not* actually join the AD domain. I assume that this would mean I should not set "access_provider = ad". Instead should this value be set to ldap?
If I configure sssd to use LDAP as the access provider, how would I address the Active Directory domain ad.example.com using the "ldap://" notation? Would there be any other changes that I would need to address in the sssd.conf examples that use ldap as the access provider? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
On Mon, Apr 20, 2020 at 08:39:33PM -0000, Michael Dahlberg wrote:
I'm attempting to setup SSSD using AD as the id provider. All the documentation that I've found results in the linux system joining the AD domain when configuring sssd in this manner. I would like to configure sssd running on RHEL to just do authorization (access_provider) against the AD domain and *not* actually join the AD
Hi,
based on which information do you want to do the access control? Group-memberships?
AD requires authentication, so if you want to read something from AD you need credentials. Typically you get them during the join, but you can use a service account as well and use 'ldap_default_bind_dn' and 'ldap_default_authtok' (see man sssd-ldap for details).
domain. I assume that this would mean I should not set "access_provider = ad". Instead should this value be set to ldap?
If I configure sssd to use LDAP as the access provider, how would I address the Active Directory domain ad.example.com using the "ldap://" notation? Would there be any other changes that I would need to
I would recommend to not set 'ldap_uri' at all, in this case SSSD will use DNS SRV lookups to find LDAP servers in you domain. You might need the 'dns_discovery_domain' option (see man ssssd.conf) if the domain name given in the [domain/your.domain.name] section header does not match the name of the AD domain.
HTH
bye, Sumit
address in the sssd.conf examples that use ldap as the access provider? _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org