9:48 a.m.
All,
We use access_provider=ad along with ad_access_filter to control authentication based on
specific group memberships. But we also have configured several low level ldap control as
shown below:
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri =
#ldap_sudo_search_base = ou
#ldap_user_search_base = dc
#ldap_user_object_class = user
#ldap_group_search_base = ou=
#ldap_group_object_class = group
#ldap_user_home_directory = unixHomeDirectory
#ldap_user_principal = userPrincipalName
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
# ldap_schema = ad
I’ve seen several posts where it is suggested that when using “access_provider=ad”, these
ldap configurations are no longer needed. I just want to get some clarification on this
forum regarding how safe it is to remove all the items listed above and do we run a risk
of any potential issues later?
Here is a complete SSSD conf.
[sssd]
domains =
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=0
[domain/]
debug_level=0
ad_server = xxxxx
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
krb5_realm =
#ldap_id_mapping = true
#ldap_use_tokengroups = False
#ldap_sasl_mech = GSSAPI
#ldap_uri = ldap://xxxxxx
#ldap_sudo_search_base =
#ldap_user_search_base =
#ldap_user_object_class =
#ldap_group_search_base =
#ldap_group_object_class =
#ldap_user_home_directory =
#ldap_user_principal =
#ldap_access_order = filter, expire
#ldap_account_expire_policy = ad
#ldap_schema = ad
ad_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
Thanks in advance for any inputs.
~ Abhi
10:48 a.m.
New subject: Can all ldap controls be removed when using access_provider=ad
Hello!
See comments inline.
On 05/19/2017 04:48 PM, Abhijit Tikekar wrote:
All,
We use access_provider=ad along with ad_access_filter to control
authentication
based on specific group memberships. But we also have
configured several low level ldap control as shown below:
#ldap_id_mapping = true
ldap_id_mapping is True by default for AD provider, so this can be
removed.
#ldap_use_tokengroups = False
ldap_use_tokengroups is True by default, so if you wish to have it
false, you need to keep it in sssd.conf.
#ldap_sasl_mech = GSSAPI
GSSAPI is default for AD provider so it can be removed from sssd.conf.
#ldap_uri =
If ldap uri is not specified then service discovery will be used.
#ldap_sudo_search_base = ou
#ldap_user_search_base = dc
#ldap_user_object_class = user
'user' is default so it can be removed.
#ldap_group_search_base = ou=
SSSD can set default search bases automatically, for example if your
domain name is ad.test, then SSSD sets the search base to
ou=Users,dc=ad,dc=test with scope 'subtree'. Similar for other
object types like groups. This works for most cases, but if you need
something else, you need to keep the option in sssd.conf.
#ldap_group_object_class = group
'group' is the default, so it can be removed.
#ldap_user_home_directory = unixHomeDirectory
'unixHomeDirectory' is default so it can be removed.
#ldap_user_principal = userPrincipalName
'userPrincipalName' is default, so it can be removed.
#ldap_access_order = filter, expire
Here is default just 'filter'. So you need to keep this one in
sssd.conf
#ldap_account_expire_policy = ad
This is default for AD provider, so you can remove
it.
# ldap_schema = ad
This is also default schema for AD provider so you can safely
remove it.
I’ve seen several posts where it is suggested that when using
“access_provider=ad”, these ldap configurations are no longer needed. I
just want to get some clarification on this forum regarding how safe it
is to remove all the items listed above and do we run a risk of any
potential issues later?
Here is a complete SSSD conf.
[sssd]
domains =
services = nss, pam, sudo
config_file_version = 2
debug_level = 0
[nss]
[pam]
[sudo]
debug_level=0
[domain/]
debug_level=0
ad_server = xxxxx
id_provider = ad
auth_provider = ad
access_provider = ad
sudo_provider = ad
krb5_realm =
*#ldap_id_mapping = true*
*#ldap_use_tokengroups = False*
*#ldap_sasl_mech = GSSAPI*
*#ldap_uri = ldap://xxxxxx*
*#ldap_sudo_search_base =*
*#ldap_user_search_base = *
*#ldap_user_object_class = *
*#ldap_group_search_base =*
*#ldap_group_object_class = *
*#ldap_user_home_directory = *
*#ldap_user_principal = *
*#ldap_access_order = filter, expire*
*#ldap_account_expire_policy = ad*
*#ldap_schema = ad*
ad_access_filter =
cache_credentials = true
override_homedir = /home/%d/%u
default_shell = /bin/bash
Thanks in advance for any inputs.
~ Abhi
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
2527
days inactive
2527
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Abhijit Tikekar -
Michal Židek