This LDAP domain has no user or group information. Only automount maps and
netgroups.
I'm defining search_base only for autofs and netgroup:
ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local
ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local
I am not explicitly setting ldap_search_base. If not explicitly set, the
sssd-ldap man page gives a lot of LDAP server-ese as to what value it takes
on:
Default [for ldap_search_base]: If not set, the value of the
defaultNamingContext or namingContexts attribute from the RootDSE of the
LDAP server
is used. If defaultNamingContext does not exist or has an empty
value namingContexts is used. The namingContexts attribute
must have a single value with the DN of the search base of the
LDAP server to make this work. Multiple values are are not
supported.
(I don't understand that above paragraph from the man page.)
However, I do see in the LDAP_child.log that it does attempt a user
authentication. We're using short login names, so I'm guessing it consults
each child domain for authentication. I haven't checked the logs to see if
it is consulted during the access phase.
Anyway, since there are no users or groups in this LDAP child domain, I
should set:
auth_provider = none
account_provider = none
for this domain, so that it doesn't even consult this child domain for user
login -- correct?
Spike
On Mon, Feb 18, 2019 at 11:37 AM Lukas Slebodnik <lslebodn(a)redhat.com>
wrote:
On (18/02/19 10:53), Spike White wrote:
>All,
>
>Spoiler alert: my configuration is working; I just want verification I
>did it right.
>
>BACKGROUND:
>
>I have an LDAP domain that was delivering autofs maps exclusively. Other
>(AD) domains were delivering users, groups, authentication and access.
>
>Since this back-end LDAP domain didn’t participate in any user
>authentication or access, I configured that backup LDAP domain in
sssd.conf
>with only an autofs_provder:
>
>[domain/LDAP]
>
>debug_level = 9
>
>id_provider = none
>
>autofs_provider = ldap
>
>ldap_uri=
ldap://austgcore17.example.com
>
>ldap_schema = rfc2307bis
>
>ldap_default_bind_dn = cn=ldapadm,dc=itzgeek,dc=local
>
>ldap_default_authtok = ldppassword
>
>ldap_autofs_search_base = ou=automount,ou=admin,dc=itzgeek,dc=local
>
>ldap_autofs_map_object_class = automountMap
>
>ldap_autofs_map_name = automountMapName
>
>ldap_autofs_entry_object_class = automount
>
>ldap_autofs_entry_key = automountKey
>
>ldap_autofs_entry_value = automountInformation
>
>ldap_netgroup_search_base = ou=netgroup,ou=admin,dc=itzgeek,dc=local
>
>
>
>Works great! Get all expected automount maps.
>
>CURRENT (ADDED NETGROUPS):
>
>Now I have added NIS netgroups to this backend LDAP server. Thus, it now
>successfully delivers automount maps + netgroups.
>
>I still don’t want this LDAP backend domain to even attempt authentication
>and access – that’s in my other (AD) domains.
>
>So you’d think all I’d have to do is change this:
>
>[domain/LDAP]
>
>…
>
>id_provider = none
>
>autofs_provider = ldap
>
>
>
>to this:
>
>[domain/LDAP]
>
>…
>
>id_provider = none
>
>autofs_provider = ldap
>
>netgroup_provider = ldap
>
>
>
>But – point in fact – there is no “netgroup_provider” setting for
sssd.conf
>file. Netgroup takes whatever the value is of ‘id_provider’.
>
>
>
>So I turned on id_provider, then explicitly turned off all providers I
>don’t want. Is this correct?
>
>
>
>[domain/LDAP]
>
>debug_level = 9
>
>#id_provider = none
>
>id_provider = ldap
>
>auth_provider = none
>
>account_provider = none
>
>chpass_provider = none
>
>sudo_provider = none
>
>subdomains_provider = none
>
>autofs_provider = ldap
>
>
>
>Also, any particular reason there’s not a netgroup_provider?
>
Because netgroups are part of id_provider
The same as users, groups and service. (There is neither user_provider nor
group_provider ...)
If you want to provide just netgroups then you might set sssd options
ldap_user_search_base and ldap_group_search_base( ldap_service_search_base)
to the part of LDAP tree which does not contain any users/groups.
>BTW, retrieving netgroups via sssd does not seem explicitly and concretely
>documented. That is, I had to consult multiple sources to get the RFC
>2307bis setup, another to get the sssd.conf settings. (I’m not faulting
>anyone; netgroups are rarely used anymore.)
>
>
Netgroups are retrieved by default if you have standard nisSchema[0] in
your LDAP
server.
[domain/$DOMAIN]
ldap_search_base = $BASE_DN
id_provider = ldap
ldap_uri = ldap://$SERVER
ldap_tls_cacert = /etc/openldap/certs/cacert.asc
LS
[1]
https://docs.oracle.com/cd/E36784_01/html/E38254/appendixa-3.html
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...