On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote:
There does not seem to be much documentation how to make
authentication work without any extras. All I need is a simple
non-anonymous bind using provided credentials without any searches. My
understanding is that I don't need NSS for this only PAM with
auth_provider set to ldap. However, without id_provider set in
sssd.conf SSSD does not start at all. This has been reported as a bug
and supposedly have been fixed before SSSD 1.16.0 version that I'm
using. I have tried to set id_provider to none but I'm getting some
indications in logs that id provider is needed. Is it possible to do
simple non-anonymous bind without anything extra, not even chpass?
I'm not sure this is possible. One of the core design decisions of SSSD
was that a domain ties authentication and identity source -- so you do
need an id_provider to fetch the identity from somewhere.
That somewhere might not be the same server or not a remote server at
all, there is also the proxy id_provider that is able to wrap any nss
module, but there needs to be some ID provider.
What is the use-case you are trying to solve?