Where do I specify the Bind DN and password for sss+ldap?
Solution 1
You have to create a [domain] section in /etc/sssd/sssd.conf
.
You could trawl through
man sssd-ldap
But it's quite a behemoth! This should get you stared. Not all directives here will be needed, depending on your environment.
[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
krb5_realm = EXAMPLE.COM
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=com,dc=br
debug_level = 3
id_provider = ldap
ldap_default_bind_dn = cn=Manager,dc=domain,dc=com,dc=br
min_id = 100
ldap_uri = ldap://<FQDN of LDAP Server>/
krb5_server = kerberos.example.com
ldap_default_authtok = xxxxxxxxxx
ldap_tls_cacertdir = /etc/openldap/cacerts
Solution 2
You can configure SSSD using following command:
authconfig --enablesssd \
--enablesssdauth \
--enablelocauthorize \
--enableldap \
--enableldapauth \
--ldapserver=ldap://ipaserver.example.com:389 \
--disableldaptls \
--ldapbasedn=dc=example,dc=com \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--update
Replace name of ldapserver with you ldap server name and basedn with your base dn name.
After this in /etc/sssd/sssd.conf
file
Specify ldap_default_bind_dn
and ldap_default_authtok
as default bind dn and password respectively, this depends upon your ldap setup.
Related videos on Youtube
Nick
Updated on September 18, 2022Comments
-
Nick over 1 year
I'm trying sssd for LDAP authentication, and while it can show user IDs with the
id
command,getent group
andgetent passwd
do not show LDAP names, and while I can chown files to ldap users, theyls -lah
asnobody
.A bit of digging and I found a hint: that this problem may occur when binding LDAP anonymously.
But when I setup sss, there was no option to supply a bind DN or password. I was also unable to locate the correct directive in the manual.
Where do I specify the Bind DN and password for sss+ldap? Does it go in
/etc/sssd/sssd.conf
? Or another file? -
Balaji Boggaram Ramanarayan over 6 yearsIs it safe to use clear passwords in a flat file ? I would imagine, atleast obfuscated makes more meaning. sssd tools package provide utilities to obfuscate clear passwords. Just a thought