On (18/02/19 10:53), Spike White wrote:
>All,
>
>Spoiler alert: my configuration is working; I just want verification I
>did it right.
>
>BACKGROUND:
>
>I have an LDAP domain that was delivering autofs maps exclusively. Other
>(AD) domains were delivering users, groups, authentication and access.
>
>Since this back-end LDAP domain didn’t participate in any user
>authentication or access, I configured that backup LDAP domain in sssd.conf
>with only an autofs_provder:
>
>[domain/LDAP]
>
>debug_level = 9
>
>id_provider = none
>
>autofs_provider = ldap
>
>ldap_uri= ldap://austgcore17.example.com
>
>ldap_schema = rfc2307bis
>
>ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local
>
>ldap_default_authtok = ldppassword
>
>ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local
>
>ldap_autofs_map_object_class = automountMap
>
>ldap_autofs_map_name = automountMapName
>
>ldap_autofs_entry_object_class = automount
>
>ldap_autofs_entry_key = automountKey
>
>ldap_autofs_entry_value = automountInformation
>
>ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local
>
>
>
>Works great! Get all expected automount maps.
>
>CURRENT (ADDED NETGROUPS):
>
>Now I have added NIS netgroups to this backend LDAP server. Thus, it now
>successfully delivers automount maps + netgroups.
>
>I still don’t want this LDAP backend domain to even attempt authentication
>and access – that’s in my other (AD) domains.
>
>So you’d think all I’d have to do is change this:
>
>[domain/LDAP]
>
>…
>
>id_provider = none
>
>autofs_provider = ldap
>
>
>
>to this:
>
>[domain/LDAP]
>
>…
>
>id_provider = none
>
>autofs_provider = ldap
>
>netgroup_provider = ldap
>
>
>
>But – point in fact – there is no “netgroup_provider” setting for sssd.conf
>file. Netgroup takes whatever the value is of ‘id_provider’.
>
>
>
>So I turned on id_provider, then explicitly turned off all providers I
>don’t want. Is this correct?
>
>
>
>[domain/LDAP]
>
>debug_level = 9
>
>#id_provider = none
>
>id_provider = ldap
>
>auth_provider = none
>
>account_provider = none
>
>chpass_provider = none
>
>sudo_provider = none
>
>subdomains_provider = none
>
>autofs_provider = ldap
>
>
>
>Also, any particular reason there’s not a netgroup_provider?
>
Because netgroups are part of id_provider
The same as users, groups and service. (There is neither user_provider nor
group_provider ...)
If you want to provide just netgroups then you might set sssd options
ldap_user_search_base and ldap_group_search_base( ldap_service_search_base)
to the part of LDAP tree which does not contain any users/groups.
>BTW, retrieving netgroups via sssd does not seem explicitly and concretely
>documented. That is, I had to consult multiple sources to get the RFC
>2307bis setup, another to get the sssd.conf settings. (I’m not faulting
>anyone; netgroups are rarely used anymore.)
>
>
Netgroups are retrieved by default if you have standard nisSchema[0] in your
LDAP
server.
[domain/$DOMAIN]
ldap_search_base = $BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
LS
[1] https://docs.oracle.com/cd/E36784_01/html/E38254/appendixa-3.html
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
