I have a single ldap instance that provides ID for accounts across
multiple trusted kerberos realms. I don't see a way to list multiple
keberos REALMS under a single domain section. I'm guessing the only
way
this scheme will work is if I locate the realm1 ldap accounts in one
container and the realm2 accounts in another container e.g.:
domains = realm1, realm2
[domain/realm1]
id_provider = ldap
ldap_uri =
ldaps://ldap.example.com
auth_provider = krb5
krb5_realm =
REALM1.COM
ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com
[domain/realm2]
id_provider = ldap
ldap_uri =
ldaps://ldap.example.com
auth_provider = krb5
krb5_realm =
REALM2.COM
ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com
Am I correct that I won't be able to place the realm1 and realm2
accounts in the same ldap_user_search_base? I was hoping I might be
able to leverage “[domain/realm1/realm2]” but it doesn't look like
krb5_realm is an option here, and that the trusted domain section
expects to find identity in separate user search bases.
I suppose an alternative to placing the accounts in separate ou's would
be to add a
(memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc=com
) search filter to ldap_user_search_base for [domain/realm1] and a
cn=realm2 memberof search filter for [domain/realm2].
Mark
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue