On Thu, 2022-12-08 at 08:02 +0100, Sumit Bose wrote: > Am Thu, Dec 08, 2022 at 01:15:51AM +0000 schrieb Christian, Mark: > > On Thu, 2022-12-08 at 00:32 +0000, Christian, Mark wrote: > > > I have a single ldap instance that provides ID for accounts > > > across > > > multiple trusted kerberos realms. I don't see a way to list > > > multiple > > > keberos REALMS under a single domain section. I'm guessing the > > > only > > > way > > > this scheme will work is if I locate the realm1 ldap accounts in > > > one > > > container and the realm2 accounts in another container e.g.: > > > > > > domains = realm1, realm2 > > > > > > [domain/realm1] > > > id_provider = ldap > > > ldap_uri = ldaps://ldap.example.com > > > auth_provider = krb5 > > > krb5_realm = REALM1.COM > > > ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com > > > > > > [domain/realm2] > > > id_provider = ldap > > > ldap_uri = ldaps://ldap.example.com > > > auth_provider = krb5 > > > krb5_realm = REALM2.COM > > > ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com > > > > > > Am I correct that I won't be able to place the realm1 and realm2 > > > accounts in the same ldap_user_search_base? I was hoping I might > > > be > > > able to leverage “[domain/realm1/realm2]” but it doesn't look > > > like > > > krb5_realm is an option here, and that the trusted domain section > > > expects to find identity in separate user search bases. > > > > I suppose an alternative to placing the accounts in separate ou's > > would > > be to add a > > (memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc > > =com > > ) search filter to ldap_user_search_base for [domain/realm1] and a > > cn=realm2 memberof search filter for [domain/realm2]. > > Hi, > > do you have the Kerberos principal for each user stored in an LDAP > attribute like 'userPrincipalName'. If this is the case it might even > work with a single domain configured in sssd.conf since the value of > this LDAP attribute is preferred over generating the principal from > the > user name and the Kerberos realm. But I have not tested this.
Thanks, I may give that a shot. To confirm. In a scenario where a single identity provider can't store the kerberos REALM information for accounts and where the id_provider is providing accounts across 2 or more realms, for example a NIS domain that has a passwd map containing realm_1 and realm_2 accounts, sssd does not have the equivalent of pam_krb5 which could be configured to try any number of REALMS until it got a "hit" e.g. auth sufficient pam_krb5.so realm=REALM_1.COM try_first_pass auth sufficient pam_krb5.so realm=REALM_2.COM try_first_pass etc... The above is simply not available in sssd.conf correct? Thanks, Mark _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
