On Mon, 2011-05-02 at 21:56 -0700, Ben Kevan wrote:
I'm wondering what the heck I'm doing wrong. I'm working on getting SSSD + KRB5 working against 2008 R2 AD. It's working fine in RHEL5 w/ the standard LDAP.conf configuration. I'm working on sssd, but am not getting a binddn connection to AD. Here's my config:
...
ldap_default_bind_dn = ldapbinddn@DOMAIN.COM
This is not a DN. This is a username. It's not the same thing. You need to figure out ldapbinddn's full distinguished name in LDAP and use that.
wtf am I doing wrong, and is ldap for authentication better then krb5? or should I stick with ldap for authorization and krb5 for authentication?
Using krb5 for authentication allows you to acquire a single-sign-on TGT for use with other applications, so it's probably the preferred method in your case.