On Thu, 2022-12-08 at 08:02 +0100, Sumit Bose wrote:
Am Thu, Dec 08, 2022 at 01:15:51AM +0000 schrieb Christian, Mark:
> On Thu, 2022-12-08 at 00:32 +0000, Christian, Mark wrote:
> > I have a single ldap instance that provides ID for accounts
> > across
> > multiple trusted kerberos realms. I don't see a way to list
> > multiple
> > keberos REALMS under a single domain section. I'm guessing the
> > only
> > way
> > this scheme will work is if I locate the realm1 ldap accounts in
> > one
> > container and the realm2 accounts in another container e.g.:
> >
> > domains = realm1, realm2
> >
> > [domain/realm1]
> > id_provider = ldap
> > ldap_uri =
ldaps://ldap.example.com
> > auth_provider = krb5
> > krb5_realm =
REALM1.COM
> > ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com
> >
> > [domain/realm2]
> > id_provider = ldap
> > ldap_uri =
ldaps://ldap.example.com
> > auth_provider = krb5
> > krb5_realm =
REALM2.COM
> > ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com
> >
> > Am I correct that I won't be able to place the realm1 and realm2
> > accounts in the same ldap_user_search_base? I was hoping I might
> > be
> > able to leverage “[domain/realm1/realm2]” but it doesn't look
> > like
> > krb5_realm is an option here, and that the trusted domain section
> > expects to find identity in separate user search bases.
>
> I suppose an alternative to placing the accounts in separate ou's
> would
> be to add a
> (memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc
> =com
> ) search filter to ldap_user_search_base for [domain/realm1] and a
> cn=realm2 memberof search filter for [domain/realm2].
Hi,
do you have the Kerberos principal for each user stored in an LDAP
attribute like 'userPrincipalName'. If this is the case it might even
work with a single domain configured in sssd.conf since the value of
this LDAP attribute is preferred over generating the principal from
the
user name and the Kerberos realm. But I have not tested this.
Thanks, I may give that a shot.
To confirm. In a scenario where a single identity provider can't store
the kerberos REALM information for accounts and where the id_provider
is providing accounts across 2 or more realms, for example a NIS domain
that has a passwd map containing realm_1 and realm_2 accounts, sssd
does not have the equivalent of pam_krb5 which could be configured to
try any number of REALMS until it got a "hit" e.g.
auth sufficient pam_krb5.so
realm=REALM_1.COM try_first_pass
auth sufficient pam_krb5.so
realm=REALM_2.COM try_first_pass
etc...
The above is simply not available in sssd.conf correct?
Thanks,
Mark