Changes between Version 3 and Version 4 of PrincetonLDAPAuthentication6


Ignore:
Timestamp:
Jan 7, 2013 10:36:14 AM (10 years ago)
Author:
brose
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PrincetonLDAPAuthentication6

    v3 v4  
    1 Work in progress.
     1Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production!
     2
     3The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally.
     4
     5{{{
     6[sssd]
     7config_file_version = 2
     8reconnection_retries = 3
     9sbus_timeout = 30
     10services = nss, pam
     11domains = oit
     12
     13[nss]
     14filter_groups = root
     15filter_users = root
     16reconnection_retries = 3
     17
     18[pam]
     19reconnection_retries = 3
     20
     21[domain/oit]
     22auth_provider = ldap
     23ldap_id_use_start_tls = True
     24chpass_provider = ldap
     25cache_credentials = True
     26krb5_realm = EXAMPLE.COM
     27ldap_search_base = o=Princeton University,c=US
     28id_provider = ldap
     29ldap_uri = ldap://ldap.princeton.edu/
     30krb5_kdcip = kerberos.example.com
     31ldap_tls_cacertdir = /etc/pki/tls/certs
     32min_id = 1
     33enumerate = true
     34}}}
     35
     36
     37Someone else once wrote this:
    238
    339For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run: