Hi all!
As far as I can tell the option 'ldap_sasl_mech = gssapi' in sssd.conf always
makes LDAP use a Kerberos keytab for LDAP searches. As far as I can tell there is no way
to use the users Kerberos credentials? I think this design comes from how Windows does it
with AD?
I would like to use the Kerberos credentials of the user who has just logged-in instead.
Maybe I'm somewhat paranoid or missing something but I'm not really comfortable
with hundreds of hosts / machines with keytabs on them which give access to LDAP.
Extracting that keytab from a machine is not that hard I think. I think in most use-cases
the user only needs to be able to see LDAP entries (ie. other users with privacy sensitive
information like names and other GDPR problematic data) which LDAP ACI's allow them.
Is there currently a way to configure SSSD in such a way?
Kind regards,
Jasper
Show replies by thread