> On Fri, Jun 06, 2014 at 09:40:09AM +0100, Robert Zmijan wrote: >>> On 06/04/2014 06:54 PM, Robert Zmijan wrote: >>>>> On 06/04/2014 04:13 PM, Robert Zmijan wrote: >>>>>>> On Wed, 2014-06-04 at 18:15 +0100, Robert Zmijan wrote: >>>>>>>> Hi >>>>>>>> >>>>>>>> I want to setup sssd to use ldap_default_bind_dn and >>>>>>>> ldap_default_authok. currently I have in my sssd.conf >>>>>>>> ldap_default_bind_dn = cn=sssd,ou=services,dc=myhost,dc=net >>>>>>>> ldap_default_authok = mypassword I understand that I would >>>>>>>> have to put 'mypassword' in ldap under the name of 'sssd' >>>>>>>> the problem I'm facing is that when i type: sss_obfuscate I >>>>>>>> get this: >>>>>>>> >>>>>>>> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read >>>>>>>> internal configuration files" >>>>>>> chmod 0600 /etc/sssd/sssd.conf >>>>>>> >>>>>> Just did that. running sss_obuscate has still the same effect as >>>>>> above: >>>>>> File "/usr/sbin/sss_obfuscate", line 81 print "Cannot read >>>>>> internal configuration files" >>>>>> Syntax Error: invalid syntax >>>>> "invalid syntax" probably means you have an error in the config >>>>> file. Mind including it so we can help you spot the syntax error? >>>> Sure, did you mean sssd.conf? >>>> >>>> here it is >>>> >>>> [sssd] >>>> config_file_version = 2 >>>> services = nss, pam >>>> domains = LDAP >>>> >>>> [nss] >>>> >>>> filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd >>>> >>>> >>>> [pam] >>>> >>>> # Example LDAP domain >>>> [domain/LDAP] >>>> id_provider = ldap >>>> >>>> ldap_id_use_start_tls = True >>>> >>>> auth_provider = ldap >>>> chpass_provider = ldap >>>> access_provider = ldap >>>> >>>> ldap_access_filter = gidNumber=100 >>>> >>>> ldap_user_ssh_public_key = sshPublicKey >>>> ldap_default_bind_dn=cn=sssd,ou=services,dc=myhost,dc=net >>>> >>>> ldap_tls_reqcert = never >>>> ldap_tls_cacert = /etc/openldap/ssl/ldapscert.crt >>>> ldap_uri = ldap://127.0.0.1 >>>> ldap_search_base = dc=homelinux,dc=net >>>> ldap_user_search_base = ou=People,dc=myhost,dc=net >>>> ldap_group_search_base = ou=Group,dc=myhost,dc=net >>>> >>>> enumerate = true >>> >>> Please do not use enumerate=true unless you really need to. >>> In most cases it should not be enabled. >>> It seems that your case is such. >>> >>> 2c. >>> Dmitri >> >> Thanks, I'll change the enumerate value. >> >> By the way, I solved my problem with sss_obfuscate on my Gentoo. >> The sss_obfuscate script is not compatible with python 3.3 which is the >> default interpreter in my system. >> Changing the first line of the sss_obfuscate to: >> >> #!/usr/bin/python2.7 (instead '#!/usr/bin/python') >> >> and adding >> >> export PYTHONPATH=${PYTHONPATH}:/usr/lib64/python2.7/site-packages >> >> to .bashrc >> >> solved the problem >> >> The message "Cannot read internal configuration files" was all about >> python3.3 complaining about the syntax of python2.7 of the sss_obfuscate >> script, and lacking path to SSSD specyfic *.py modules. > > great, thank you for sharing your findings. I guess they are valuable > for other users as well as long as we have not fixed > https://fedorahosted.org/sssd/ticket/2017 "Python 3 support" which is > scheduled for 1.13. > > >> >> Now I have my obfuscated passwd in sssd.config file. >> Can you tell me what is now best to do on the ldap side to make SSSD >> authenticate itself with that password? > > You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object > and set the password. Additionally I would recommend to assign an > appropriate access control for this user. E.g. it should not be allowed > to read passwords. > > HTH > > bye, > Sumit
Thanks Sumit What ldap attributes would the cn=sssd,ou=services,dc=myhost,dc=net user need access (read) to, so I can list it in the slapd.conf access list. Another question, shall I copy the obfuscated passwd string straight into the ldap sssd user's passwd attribute entry? What encryption type shall I choose in ldap for the obfuscated string, md5, crypt, sha... ? R. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
