Fedora 14: GDM, sssd and LDAP authentication

Stephen Gallagher sgallagh at redhat.com
Wed Nov 10 13:30:33 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2010 07:40 AM, fedora wrote:
> Hi
> 
> The following sssd.conf and pam.d/gdm and pam.d/gdm-password work here 
> on fedora 13.
> With quite a bit of debuggind i found out that for sssd you have to 
> specify all bases in the sssd.conf.
> i have not been able to make sssd run with TLS.
> 

You should not have to set the separate bases at all, as long as they
are subtrees of the primary search base. If ldap_user_search_base is not
specified, it defaults to being the same as ldap_search_base.

There was some confusion about that in the past, where it looked more
like ldap_user_search_base was mandatory. We've cleaned up the
documentation to make that hopefully more clear.

I'm not sure what you mean by "I have not been able to make sssd run
with TLS". Given the ldap:// URI you specified, SSSD will always be
using TLS for the authentication. Because you set ldap_tls_reqcert =
never, it's just not validating the server against a CA cert. To do
that, you would need to set ldap_tls_cacert = /path/to/ca.crt

If you mean that it's not using TLS for identity lookups, this is
enabled by 'ldap_id_use_start_tls = True'.

- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkzannkACgkQeiVVYja6o6MjBQCfaku+zuxZc2oh528ZsXWcOu2E
eXUAoK6hyex9rYn+9Svkj0DyLytklQ5s
=lGs2
-----END PGP SIGNATURE-----


More information about the users mailing list