On 10/31/2013 02:46 PM, Jakub Hrozek wrote: > On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote: >> Hello everyone, >> >> I made a configuration where I use Active Directory Kerberos as >> authentication source, >> but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc.... >> >> I configured everything using the excellent tool msktutil, so no Samba or >> ktpass.exe involved.... >> >> Basically, this is my sssd.conf: >> >> [domain/DOMAIN] >> ldap_id_use_start_tls = True >> ldap_schema = rfc2307bis >> ldap_search_base = dc=xyz >> id_provider = ldap >> access_provider = ldap >> ldap_access_filter = isMemberOf=zyx >> auth_provider = krb5 >> chpass_provider = krb5 >> ldap_uri = ldap://xyz >> cache_credentials = true >> sudo_provider = ldap >> ldap_sudo_search_base = ou=xyz >> ldap_netgroup_search_base = ou=xyz >> ldap_group_name = uniqueMember >> entry_cache_netgroup_timeout = 300 >> entry_cache_sudo_timeout = 300 >> ldap_sasl_mech = GSSAPI >> ldap_force_upper_case_realm = True >> ldap_krb5_keytab = /etc/krb5.keytab >> krb5_keytab = /etc/krb5.keytab >> krb5_realm = MSNET.RAILB.BE >> krb5_ccachedir = /tmp >> krb5_validate = True >> krb5_auth_timeout = 15 >> ldap_sasl_authid = [email protected] >> ldap_krb5_init_creds = true >> debug_level = 5 >> >> I only have one problem: I have to create a "uid=HOSTNAME$" entry in my >> LDAP servers, which is now objectClass account.... >> >> By default, OpenDJ makes a GSSAPI match based on regexp for UID. >> >> But if I want to use objectClass ipHost/device, then cn is used instead of >> uid. >> >> Any idea what is the nicest solution here? >> >> SSO works perfect between Linux hosts also, but I can't succeed using Putty >> to use my Windows credentials/ticket to sign on to the sssd enabled hosts. >> >> Sincerely, PieterB > Sorry, I'm not quite sure what the problem is? Do you need to look up > this special entry with cn instead of uid ?
I did not comment because I thought it was just me who it confused. It seems that there is some sort of OpenDJ problem, limitation or config issue. I do not think we quite understand the problem and how we can help. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
