We're developing a java application, which should authenticate users against both LDAP and custom formatted files containing user information. Both username/password and certificate authentication are planned to be supported. Our application should run mainly on RHEL. We were estimating the possibility to use SSSD for this purpose. After some investigation it seems, that SSSD can be called from java code only via D-Bus. It also seems, that it can be used mainly for fetching user information. but not for authentication.
E.g. for fetching user by uid: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:<UID>
For retrieving user groups: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID> orgfreedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:groups
For retrieving some extra attributes (after adding them to sssd.conf); dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID> orgfreedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:"extraAttributes"
Somewhat promising looks method FindByNameAndCertificate: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate string:<UID> string:<PEM_CERT>
But as far as I understand, FindByNameAndCertificate just compares string representation of a pem certificate and is far from client certificate authentication.
Do I understand correctly, that at the moment there is no possibility to perform user authentication via D-Bus API through SSSD in LDAP? Or am I missing something?
On Fri, Sep 10, 2021 at 3:20 AM Daniil Kirilyuk daniel.kirilyuk@gmail.com wrote:
We're developing a java application, which should authenticate users against both LDAP and custom formatted files containing user information. Both username/password and certificate authentication are planned to be supported. Our application should run mainly on RHEL. We were estimating the possibility to use SSSD for this purpose. After some investigation it seems, that SSSD can be called from java code only via D-Bus. It also seems, that it can be used mainly for fetching user information. but not for authentication.
If your application runs primarily on RHEL, it might make more sense to use PAM instead (maybe via JNI?), instead of hardcoding the use of sssd. (Typically, on Linux systems, sssd is called via PAM.)
That way, system administrators would have near-complete flexibility in configuring your application’s authentication, because they could do so via PAM… like virtually every other Linux application that needs to perform user authentication.
On 9/10/21 9:20 AM, Daniil Kirilyuk wrote:
We're developing a java application, which should authenticate users against both LDAP and custom formatted files containing user information. Both username/password and certificate authentication are planned to be supported. Our application should run mainly on RHEL. We were estimating the possibility to use SSSD for this purpose. After some investigation it seems, that SSSD can be called from java code only via D-Bus. It also seems, that it can be used mainly for fetching user information. but not for authentication.
E.g. for fetching user by uid: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByName string:<UID>
For retrieving user groups: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID> orgfreedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:groups
For retrieving some extra attributes (after adding them to sssd.conf); dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/<DOMAIN>/<UID> orgfreedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:"extraAttributes"
Somewhat promising looks method FindByNameAndCertificate: dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByNameAndCertificate string:<UID> string:<PEM_CERT>
But as far as I understand, FindByNameAndCertificate just compares string representation of a pem certificate and is far from client certificate authentication.
Do I understand correctly, that at the moment there is no possibility to perform user authentication via D-Bus API through SSSD in LDAP? Or am I missing something?
Hi, you are correct. At this moment SSSD does not provide any authentication mechanism through D-Bus. Authentication is provided only though PAM modules pam_sss.so and pam_sss_gss.so (for gssapi authenticaiton).
Also even though we do have support for users and groups over D-Bus, depending on your use case it might be better to use system calls that goes through nsswitch.conf (like getpwnam/getgrnam; I'm not sure what are their Java counterparts)-
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org