7:29 p.m.
Hi Jakub,
Here's my use case:
I'm running Pgpool-II mainly for load balancing requests to PostgreSQL
servers. While PgPool-II supports LDAP(AD) or GSSAPI/Kerberos, which I
have working, I need PgPool authentication which supports LDAP(AD) via
PAM module. PostgreSQL authorization does not utilize LDAP(AD) but
database permissions so LDAP(AD) memberships etc. are not needed.
cat vi /etc/pam.d/pgpool
#%PAM-1.0
auth required pam_sss.so
account required pam_sss.so
In addition to auth_provider now I have configured id_provider to be
LDAP and I managed to get things to work after setting ldap_id_mapping
= true. I'm trying to avoid to join domain which is why I'm using LDAP
for AD.
One thing that I had to do was to configure ldap_default_bind_dn and
ldap_default_authtok, which sucks because I don't want to expose
password for some admin account in file. I should be able to get basic
info about user using provided credentials using simple non-anonymous
bind as I've done in other projects.
What is odd is that search queries are performed first and than PAM
Authentication with simple bind is done last.
In addition, amount of LDAP queries for my simple case is excessive.
5 LDAP queries on objectClass=group for memberships even though I set
ldap_group_nesting_level = 0. I have my memberships in memberOf
attribute.
1 LDAP query on objectClass=group for ObjectSID
1 LDAP query for my user info
2 LDAP queries for other stuff on objectClass=*
Is there a way to avoid using ldap_default_bind_dn and
ldap_default_authtok for LDAP? If so, does it mean that user to be
authenticated has to have enough permissions to do searches in AD via
LDAP?
Thank you,
Andre
On Thu, Aug 9, 2018 at 1:19 PM Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote:
> There does not seem to be much documentation how to make
> authentication work without any extras. All I need is a simple
> non-anonymous bind using provided credentials without any searches. My
> understanding is that I don't need NSS for this only PAM with
> auth_provider set to ldap. However, without id_provider set in
> sssd.conf SSSD does not start at all. This has been reported as a bug
> and supposedly have been fixed before SSSD 1.16.0 version that I'm
> using. I have tried to set id_provider to none but I'm getting some
> indications in logs that id provider is needed. Is it possible to do
> simple non-anonymous bind without anything extra, not even chpass?
I'm not sure this is possible. One of the core design decisions of SSSD
was that a domain ties authentication and identity source -- so you do
need an id_provider to fetch the identity from somewhere.
That somewhere might not be the same server or not a remote server at
all, there is also the proxy id_provider that is able to wrap any nss
module, but there needs to be some ID provider.
What is the use-case you are trying to solve?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...
--
Andre Piwoni
Sr. Software Developer, BI/Database
WebMD Health Services
Mobile: 801.541.4722
www.webmdhealthservices.com