On (18/02/19 10:53), Spike White wrote:
All,
Spoiler alert: my configuration is working; I just want verification I
did it right.
BACKGROUND:
I have an LDAP domain that was delivering autofs maps exclusively. Other
(AD) domains were delivering users, groups, authentication and access.
Since this back-end LDAP domain didn’t participate in any user
authentication or access, I configured that backup LDAP domain in sssd.conf
with only an autofs_provder:
[domain/LDAP]
debug_level = 9
id_provider = none
autofs_provider = ldap
ldap_uri=
ldap://austgcore17.example.com
ldap_schema = rfc2307bis
ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local
ldap_default_authtok = ldppassword
ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local
ldap_autofs_map_object_class = automountMap
ldap_autofs_map_name = automountMapName
ldap_autofs_entry_object_class = automount
ldap_autofs_entry_key = automountKey
ldap_autofs_entry_value = automountInformation
ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local
Works great! Get all expected automount maps.
CURRENT (ADDED NETGROUPS):
Now I have added NIS netgroups to this backend LDAP server. Thus, it now
successfully delivers automount maps + netgroups.
I still don’t want this LDAP backend domain to even attempt authentication
and access – that’s in my other (AD) domains.
So you’d think all I’d have to do is change this:
[domain/LDAP]
…
id_provider = none
autofs_provider = ldap
to this:
[domain/LDAP]
…
id_provider = none
autofs_provider = ldap
netgroup_provider = ldap
But – point in fact – there is no “netgroup_provider” setting for sssd.conf
file. Netgroup takes whatever the value is of ‘id_provider’.
So I turned on id_provider, then explicitly turned off all providers I
don’t want. Is this correct?
[domain/LDAP]
debug_level = 9
#id_provider = none
id_provider = ldap
auth_provider = none
account_provider = none
chpass_provider = none
sudo_provider = none
subdomains_provider = none
autofs_provider = ldap
Also, any particular reason there’s not a netgroup_provider?
Because netgroups are part of id_provider
The same as users, groups and service. (There is neither user_provider nor
group_provider ...)
If you want to provide just netgroups then you might set sssd options
ldap_user_search_base and ldap_group_search_base( ldap_service_search_base)
to the part of LDAP tree which does not contain any users/groups.
BTW, retrieving netgroups via sssd does not seem explicitly and
concretely
documented. That is, I had to consult multiple sources to get the RFC
2307bis setup, another to get the sssd.conf settings. (I’m not faulting
anyone; netgroups are rarely used anymore.)
Netgroups are retrieved by default if you have standard nisSchema[0] in your LDAP
server.
[domain/$DOMAIN]
ldap_search_base = $BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
LS
[1]
https://docs.oracle.com/cd/E36784_01/html/E38254/appendixa-3.html