I have a single ldap instance that provides ID for accounts across multiple trusted kerberos realms.  I don't see a way to list multiple keberos REALMS under a single domain section. I'm guessing the only way this scheme will work is if I locate the realm1 ldap accounts in one container and the realm2 accounts in another container e.g.: domains = realm1, realm2 [domain/realm1] id_provider = ldap ldap_uri = ldaps://ldap.example.com auth_provider = krb5 krb5_realm = REALM1.COM ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com [domain/realm2] id_provider = ldap ldap_uri = ldaps://ldap.example.com auth_provider = krb5 krb5_realm = REALM2.COM ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com Am I correct that I won't be able to place the realm1 and realm2 accounts in the same ldap_user_search_base? I was hoping I might be able to leverage “[domain/realm1/realm2]” but it doesn't look like krb5_realm is an option here, and that the trusted domain section expects to find identity in separate user search bases.   

Mark _______________________________________________ sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

Am Thu, Dec 08, 2022 at 01:15:51AM +0000 schrieb Christian, Mark: > On Thu, 2022-12-08 at 00:32 +0000, Christian, Mark wrote: > > I have a single ldap instance that provides ID for accounts > > across > > multiple trusted kerberos realms.  I don't see a way to list > > multiple > > keberos REALMS under a single domain section. I'm guessing the > > only > > way > > this scheme will work is if I locate the realm1 ldap accounts in > > one > > container and the realm2 accounts in another container e.g.: > > > > domains = realm1, realm2 > > > > [domain/realm1] > > id_provider = ldap > > ldap_uri = ldaps://ldap.example.com > > auth_provider = krb5 > > krb5_realm = REALM1.COM > > ldap_user_search_base = ou=realm1,ou=people,dc=example,dc=com > > > > [domain/realm2] > > id_provider = ldap > > ldap_uri = ldaps://ldap.example.com > > auth_provider = krb5 > > krb5_realm = REALM2.COM > > ldap_user_search_base = ou=realm2,ou=people,dc=example,dc=com > > > > Am I correct that I won't be able to place the realm1 and realm2 > > accounts in the same ldap_user_search_base? I was hoping I might > > be > > able to leverage “[domain/realm1/realm2]” but it doesn't look > > like > > krb5_realm is an option here, and that the trusted domain section > > expects to find identity in separate user search bases.    > > I suppose an alternative to placing the accounts in separate ou's > would > be to add a > (memberOf:1.2.840.113556.1.4.1941:=cn=realm1,ou=group,dc=example,dc > =com > ) search filter to ldap_user_search_base for [domain/realm1] and a > cn=realm2 memberof search filter for [domain/realm2].  Hi, do you have the Kerberos principal for each user stored in an LDAP attribute like 'userPrincipalName'. If this is the case it might even work with a single domain configured in sssd.conf since the value of this LDAP attribute is preferred over generating the principal from the user name and the Kerberos realm. But I have not tested this.