On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote: > Hello everyone, > > I made a configuration where I use Active Directory Kerberos as > authentication source, > but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc.... > > I configured everything using the excellent tool msktutil, so no Samba or > ktpass.exe involved.... > > Basically, this is my sssd.conf: > > [domain/DOMAIN] > ldap_id_use_start_tls = True > ldap_schema = rfc2307bis > ldap_search_base = dc=xyz > id_provider = ldap > access_provider = ldap > ldap_access_filter = isMemberOf=zyx > auth_provider = krb5 > chpass_provider = krb5 > ldap_uri = ldap://xyz > cache_credentials = true > sudo_provider = ldap > ldap_sudo_search_base = ou=xyz > ldap_netgroup_search_base = ou=xyz > ldap_group_name = uniqueMember > entry_cache_netgroup_timeout = 300 > entry_cache_sudo_timeout = 300 > ldap_sasl_mech = GSSAPI > ldap_force_upper_case_realm = True > ldap_krb5_keytab = /etc/krb5.keytab > krb5_keytab = /etc/krb5.keytab > krb5_realm = MSNET.RAILB.BE > krb5_ccachedir = /tmp > krb5_validate = True > krb5_auth_timeout = 15 > ldap_sasl_authid = [email protected] > ldap_krb5_init_creds = true > debug_level = 5 > > I only have one problem: I have to create a "uid=HOSTNAME$" entry in my > LDAP servers, which is now objectClass account.... > > By default, OpenDJ makes a GSSAPI match based on regexp for UID. > > But if I want to use objectClass ipHost/device, then cn is used instead of > uid. > > Any idea what is the nicest solution here? > > SSO works perfect between Linux hosts also, but I can't succeed using Putty > to use my Windows credentials/ticket to sign on to the sssd enabled hosts. > > Sincerely, PieterB
Sorry, I'm not quite sure what the problem is? Do you need to look up this special entry with cn instead of uid ? _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
