On Fri, Jun 06, 2014 at 09:40:09AM +0100, Robert Zmijan wrote: > > On 06/04/2014 06:54 PM, Robert Zmijan wrote: > >>> On 06/04/2014 04:13 PM, Robert Zmijan wrote: > >>>>> On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: > >>>>>> Hi > >>>>>> > >>>>>> I want to setup sssd to use ldap_default_bind_dn and > >>>>>> ldap_default_authok. currently I have in my sssd.conf > >>>>>> ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net > >>>>>> ldap_default_authok = mypassword I understand that I would > >>>>>> have to put 'mypassword' in ldap under the name of 'sssd' > >>>>>> the problem I'm facing is that when i type: sss_obfuscate I > >>>>>> get this: > >>>>>> > >>>>>> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read > >>>>>> internal configuration files" > >>>>> chmod 0600 /etc/sssd/sssd.conf > >>>>> > >>>> Just did that. running sss_obuscate has still the same effect as > >>>> above: > >>>> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read > >>>> internal configuration files" > >>>> Syntax Error: invalid syntax > >>> "invalid syntax" probably means you have an error in the config > >>> file. Mind including it so we can help you spot the syntax error? > >> Sure, did you mean sssd.conf? > >> > >> here it is > >> > >> [sssd] > >> config_file_version = 2 > >> services = nss, pam > >> domains = LDAP > >> > >> [nss] > >> > >> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd > >> > >> > >> [pam] > >> > >> # Example LDAP domain > >> [domain/LDAP] > >> id_provider = ldap > >> > >> ldap_id_use_start_tls = True > >> > >> auth_provider = ldap > >> chpass_provider = ldap > >> access_provider = ldap > >> > >> ldap_access_filter = gidNumber=100 > >> > >> ldap_user_ssh_public_key = sshPublicKey > >> ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net > >> > >> ldap_tls_reqcert = never > >> ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt > >> ldap_uri = ldap://127.0.0.1 > >> ldap_search_base = dc=homelinux,dc=net > >> ldap_user_search_base = ou=People,dc=myhost,dc=net > >> ldap_group_search_base = ou=Group,dc=myhost,dc=net > >> > >> enumerate = true > > > > Please do not use enumerate=true unless you really need to. > > In most cases it should not be enabled. > > It seems that your case is such. > > > > 2c. > > Dmitri > > Thanks, I'll change the enumerate value. > > By the way, I solved my problem with sss_obfuscate on my Gentoo. > The sss_obfuscate script is not compatible with python 3.3 which is the > default interpreter in my system. > Changing the first line of the sss_obfuscate to: > > #!/usr/bin/python2.7 (instead '#!/usr/bin/python') > > and adding > > export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages > > to .bashrc > > solved the problem > > The message "Cannot read internal configuration files" was all about > python3.3 complaining about the syntax of python2.7 of the sss_obfuscate > script, and lacking path to SSSD specyfic *.py modules.
great, thank you for sharing your findings. I guess they are valuable for other users as well as long as we have not fixed https://fedorahosted.org/sssd/ticket/2017 "Python 3 support" which is scheduled for 1.13. > > Now I have my obfuscated passwd in sssd.config file. > Can you tell me what is now best to do on the ldap side to make SSSD > authenticate itself with that password? You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object and set the password. Additionally I would recommend to assign an appropriate access control for this user. E.g. it should not be allowed to read passwords. HTH bye, Sumit > > R. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
