On Thu, 2022-12-08 at 00:32 +0000, Christian, Mark wrote: > I have a single ldap instance that provides ID for accounts across > multiple trusted kerberos realms. I don't see a way to list multiple > keberos REALMS under a single domain section. I'm guessing the only > way > this scheme will work is if I locate the realm1 ldap accounts in one > container and the realm2 accounts in another container e.g.: > > domains = realm1, realm2 > > [domain/realm1] > id_provider = ldap > ldap_uri = ldaps://ldap.example.com > auth_provider = krb5 > krb5_realm = REALM1.COM > ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com > > [domain/realm2] > id_provider = ldap > ldap_uri = ldaps://ldap.example.com > auth_provider = krb5 > krb5_realm = REALM2.COM > ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com > > Am I correct that I won't be able to place the realm1 and realm2 > accounts in the same ldap_user_search_base? I was hoping I might be > able to leverage “[domain/realm1/realm2]” but it doesn't look like > krb5_realm is an option here, and that the trusted domain section > expects to find identity in separate user search bases.
I suppose an alternative to placing the accounts in separate ou's would be to add a (memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc=com ) search filter to ldap_user_search_base for [domain/realm1] and a cn=realm2 memberof search filter for [domain/realm2]. > > Mark > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to > [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
