On Fri, Dec 06, 2019 at 10:26:13AM -0000, Jasper Siepkes wrote: > Hi all! > > As far as I can tell the option 'ldap_sasl_mech = gssapi' in sssd.conf always > makes LDAP use a Kerberos keytab for LDAP searches. As far as I can tell > there is no way to use the users Kerberos credentials? I think this design > comes from how Windows does it with AD? > > I would like to use the Kerberos credentials of the user who has just > logged-in instead. Maybe I'm somewhat paranoid or missing something but I'm > not really comfortable with hundreds of hosts / machines with keytabs on them > which give access to LDAP. Extracting that keytab from a machine is not that > hard I think. I think in most use-cases the user only needs to be able to see > LDAP entries (ie. other users with privacy sensitive information like names > and other GDPR problematic data) which LDAP ACI's allow them. > > Is there currently a way to configure SSSD in such a way?
Hi, there was a similar question recently at https://lists.fedoraproject.org/archives/list/[email protected]/message/GHJP5Q4A34OOEWT33KTRTHJGKFBSWXM3/ To cut it short, this is not possible because many login programs need to information about the user before the password or other credentials are available. bye, Sumit > > Kind regards, > > Jasper > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
