Hi Jakub, Here's my use case: I'm running Pgpool-II mainly for load balancing requests to PostgreSQL servers. While PgPool-II supports LDAP(AD) or GSSAPI/Kerberos, which I have working, I need PgPool authentication which supports LDAP(AD) via PAM module. PostgreSQL authorization does not utilize LDAP(AD) but database permissions so LDAP(AD) memberships etc. are not needed.
cat vi /etc/pam.d/pgpool #%PAM-1.0 auth required pam_sss.so account required pam_sss.so In addition to auth_provider now I have configured id_provider to be LDAP and I managed to get things to work after setting ldap_id_mapping = true. I'm trying to avoid to join domain which is why I'm using LDAP for AD. One thing that I had to do was to configure ldap_default_bind_dn and ldap_default_authtok, which sucks because I don't want to expose password for some admin account in file. I should be able to get basic info about user using provided credentials using simple non-anonymous bind as I've done in other projects. What is odd is that search queries are performed first and than PAM Authentication with simple bind is done last. In addition, amount of LDAP queries for my simple case is excessive. 5 LDAP queries on objectClass=group for memberships even though I set ldap_group_nesting_level = 0. I have my memberships in memberOf attribute. 1 LDAP query on objectClass=group for ObjectSID 1 LDAP query for my user info 2 LDAP queries for other stuff on objectClass=* Is there a way to avoid using ldap_default_bind_dn and ldap_default_authtok for LDAP? If so, does it mean that user to be authenticated has to have enough permissions to do searches in AD via LDAP? Thank you, Andre On Thu, Aug 9, 2018 at 1:19 PM Jakub Hrozek <[email protected]> wrote: > > On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote: > > There does not seem to be much documentation how to make > > authentication work without any extras. All I need is a simple > > non-anonymous bind using provided credentials without any searches. My > > understanding is that I don't need NSS for this only PAM with > > auth_provider set to ldap. However, without id_provider set in > > sssd.conf SSSD does not start at all. This has been reported as a bug > > and supposedly have been fixed before SSSD 1.16.0 version that I'm > > using. I have tried to set id_provider to none but I'm getting some > > indications in logs that id provider is needed. Is it possible to do > > simple non-anonymous bind without anything extra, not even chpass? > > I'm not sure this is possible. One of the core design decisions of SSSD > was that a domain ties authentication and identity source -- so you do > need an id_provider to fetch the identity from somewhere. > > That somewhere might not be the same server or not a remote server at > all, there is also the proxy id_provider that is able to wrap any nss > module, but there needs to be some ID provider. > > What is the use-case you are trying to solve? > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/BKVIAMB6KYGJTXNECDM5BPHWP3XE4JTG/ -- Andre Piwoni Sr. Software Developer, BI/Database WebMD Health Services Mobile: 801.541.4722 www.webmdhealthservices.com _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/765EVHKNCV576BM5T72OVQJMVSKJKBLK/
