Re: [SSSD-users] sssd basic questions - solved

Mon, 09 Jun 2014 11:54:54 -0700 

On 06/09/2014 01:56 PM, Robert Zmijan wrote:

Now I have my obfuscated passwd in sssd.config file.
Can you tell me what is now best to do on the ldap side to make SSSD
authenticate itself with that password?

You have to create the cn=sssd,ou=services,dc=myhost,dc=net user object
and set the password. Additionally I would recommend to assign an
appropriate access control for this user. E.g. it should not be allowed
to read passwords.

HTH

bye,
Sumit

OK, I understand why it should not be able to read passwords. However,
under 'access to attrs=userPassword' in my slapd.conf if I comment out
the line 'by dn="userid=sssd,ou=People,dc=myhost,dc=net" read' the sssd
cannot establish a successful bind. In consequence I cannot login any
user in. What is the best way to allow sssd to read its own password but
not allow to access to others' passwords?

Below my slapd.conf

---------------
access to dn="cn=subschema"
         by * read

access to attrs=userPassword
         by dn="uid=root,ou=People,dc=myhost,dc=net" write
         by dn="userid=sssd,ou=People,dc=myhost,dc=net" read
         by self write
         by anonymous auth
         by * auth

access to attrs=sshPublicKey
         by dn="uid=root,ou=People,dc=myhost,dc=net" write
         by self write
         by * read

access to *
         by dn="cn=user1,ou=People,dc=myhost,dc=net" read
         by dn="uid=user3,ou=People,dc=myhost,dc=net" write
         by dn="uid=user2,ou=People,dc=myhost,dc=net" write
         by dn="uid=root,ou=People,dc=myhost,dc=net" write
         by dn="userid=sssd,ou=People,dc=myhost,dc=net" read
         by * search
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Can you bind with sssd user and its password via an LDAP search command with or without this setting? You should be able to because when you remove the line sssd would authenticate as itself and thus self rules would apply. If this is possible that means that your password is OK and the problem is in SSSD. If it failes this means that your password for SSSD user is not correct (may be it requires change). 

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to