Am Thu, Dec 08, 2022 at 01:15:51AM +0000 schrieb Christian, Mark: > On Thu, 2022-12-08 at 00:32 +0000, Christian, Mark wrote: > > I have a single ldap instance that provides ID for accounts across > > multiple trusted kerberos realms. I don't see a way to list multiple > > keberos REALMS under a single domain section. I'm guessing the only > > way > > this scheme will work is if I locate the realm1 ldap accounts in one > > container and the realm2 accounts in another container e.g.: > > > > domains = realm1, realm2 > > > > [domain/realm1] > > id_provider = ldap > > ldap_uri = ldaps://ldap.example.com > > auth_provider = krb5 > > krb5_realm = REALM1.COM > > ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com > > > > [domain/realm2] > > id_provider = ldap > > ldap_uri = ldaps://ldap.example.com > > auth_provider = krb5 > > krb5_realm = REALM2.COM > > ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com > > > > Am I correct that I won't be able to place the realm1 and realm2 > > accounts in the same ldap_user_search_base? I was hoping I might be > > able to leverage “[domain/realm1/realm2]” but it doesn't look like > > krb5_realm is an option here, and that the trusted domain section > > expects to find identity in separate user search bases. > > I suppose an alternative to placing the accounts in separate ou's would > be to add a > (memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc=com > ) search filter to ldap_user_search_base for [domain/realm1] and a > cn=realm2 memberof search filter for [domain/realm2].
Hi, do you have the Kerberos principal for each user stored in an LDAP attribute like 'userPrincipalName'. If this is the case it might even work with a single domain configured in sssd.conf since the value of this LDAP attribute is preferred over generating the principal from the user name and the Kerberos realm. But I have not tested this. bye, Sumit > > > > > > > Mark > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to > > [email protected] > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
