FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 05-31-2011, 01:58 PM
Ethan Bonick
 
Default SSSD (LDAP and Kerberos) to AD

I am having trouble getting sssd to work properly with LDAP. I am using kerberos for passwords and LDAP for identification. I have everything working on Ubuntu and CENTOS5 clients
not using SSSD so I know it works.



Kerberos works just fine and I can get a ticket. LDAP returns nothing, debug logs aren't helping me. I have included a copy of my config file. We are not using certs on ldap and it shouldn't be required since I am using kerberos for authentication.



Thanks,

Ethan



[sssd]

config_file_version = 2

reconnection_retries = 3

sbus_timeout = 30

services = nss, pam

domains = default



[nss]

filter_groups = root

filter_users = root, nimda

reconnection_retries = 3



[pam]

reconnection_retries = 3



[domain/default]

auth_provider = krb5

krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com

krb5_kdcip = dc1.example.com,dc2.example.com,dc3.example.com

krb5_realm = example.com

krb5_server = dc1.example.com,dc2.example.com,dc3.example.com

chpass_provider = krb5

cache_credentials = True



id_provider = ldap

ldap_id_use_start_tls = False

ldap_user_uid_number = msSFU30UidNumber

ldap_user_gid_number = msSFU30GidNumber

ldap_user_principal = userPrincipalName

ldap_force_upper_case_realm = False

ldap_group_gid_number = msSFU30GidNumber

ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com,ldap://dc3.example.com

ldap_user_home_directory = msSFU30HomeDirectory

ldap_user_object_class = person

ldap_group_object_class = group

ldap_group_name = msSFU30Name

ldap_user_name = msSFU30Name

ldap_search_base = dc=example,dc=com

ldap_default_authtok_type = password

ldap_default_bind_dn = cn="Linux LDAP",ou=IT,dc=example,dc=com

ldap_user_shell = msSFU30LoginShell

ldap_default_authtok = PASSWORD_GOES_HERE

ldap_tls_cacertdir = /etc/openldap/cacerts

min_id = 10000

max_id = 999999

enumerate = True

ldap_pwd_policy = none

ldap_search = dc=example,dc=com

ldap_schema = rfc2307bis

debug_level = 9







Join us at the Mobile Event of the Year



Syclo Mobile Conference 2011 | Chicago Mart Plaza | July 13-15



www.syclo.com/smc2011












Copyright 2011. All rights reserved. No portion of this material may be copied, transmitted, or stored via any electronic media without the express written permission of Syclo, LLC. This message is intended exclusively for the individual or entity to which
it is addressed and may contain information that is PROPRIETARY, CONFIDENTIAL, PRIVILEGED, ATTORNEY WORK PRODUCT or otherwise legally exempt from disclosure. If you are not the named or intended recipient, you are not authorized to read, print, retain, copy,
disclose, distribute, use or take any action with regard to this message or any part of it. If you have received this message in error please notify the sender immediately by e-mail and delete all copies of the message. Unless expressly stated in this email,
nothing in this message should be construed as a digital or electronic signature.



Syclo LLC. Headquarters

1721 Moon Lake Blvd, STE 300, Hoffman Estates, IL 60169


Syclo International Limited is registered in England.

Company Number: 05803809

Registered Address: Clock House, 140 London Road, Guildford, GU1 1UW




--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-02-2011, 12:18 PM
Stephen Gallagher
 
Default SSSD (LDAP and Kerberos) to AD

On Tue, 2011-05-31 at 13:58 +0000, Ethan Bonick wrote:
> I am having trouble getting sssd to work properly with LDAP. I am
> using kerberos for passwords and LDAP for identification. I have
> everything working on Ubuntu and CENTOS5 clients not using SSSD so I
> know it works.
>
> Kerberos works just fine and I can get a ticket. LDAP returns nothing,
> debug logs aren't helping me. I have included a copy of my config
> file. We are not using certs on ldap and it shouldn't be required
> since I am using kerberos for authentication.
>
> Thanks,
> Ethan
>
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = default
>
> [nss]
> filter_groups = root
> filter_users = root, nimda
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/default]
> auth_provider = krb5
> krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com
> krb5_kdcip = dc1.example.com,dc2.example.com,dc3.example.com
> krb5_realm = example.com
> krb5_server = dc1.example.com,dc2.example.com,dc3.example.com
> chpass_provider = krb5
> cache_credentials = True
>
> id_provider = ldap
> ldap_id_use_start_tls = False
> ldap_user_uid_number = msSFU30UidNumber
> ldap_user_gid_number = msSFU30GidNumber
> ldap_user_principal = userPrincipalName
> ldap_force_upper_case_realm = False
> ldap_group_gid_number = msSFU30GidNumber
> ldap_uri =
> ldap://dc1.example.com,ldap://dc2.example.com,ldap://dc3.example.com
> ldap_user_home_directory = msSFU30HomeDirectory
> ldap_user_object_class = person
> ldap_group_object_class = group
> ldap_group_name = msSFU30Name
> ldap_user_name = msSFU30Name
> ldap_search_base = dc=example,dc=com
> ldap_default_authtok_type = password
> ldap_default_bind_dn = cn="Linux LDAP",ou=IT,dc=example,dc=com
> ldap_user_shell = msSFU30LoginShell
> ldap_default_authtok = PASSWORD_GOES_HERE
> ldap_tls_cacertdir = /etc/openldap/cacerts
> min_id = 10000
> max_id = 999999
> enumerate = True
> ldap_pwd_policy = none
> ldap_search = dc=example,dc=com
> ldap_schema = rfc2307bis
> debug_level = 9
>


First, I'd like to mention that SSSD is not currently the ideal solution
for interacting with ActiveDirectory. (Currently, we are implementing a
winbind-based provider that should be ready within the next two months).

Second, the user list isn't the best place to get this help. Please open
a Bugzilla ticket against the SSSD component and attach your sssd.conf
as well as the /etc/sssd/sssd/sssd_default.log to it. We'll get you
sorted out.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 06-03-2011, 01:54 PM
Ethan Bonick
 
Default SSSD (LDAP and Kerberos) to AD

1. While I appreciate the advice, ldap provides unix attributes we set up in AD which I could never get working from winbind.

2. I will file a bug, just didn't know if it was a bad configuration or a bug.

-Ethan

-----Original Message-----
From: users-bounces@lists.fedoraproject.org [mailto:users-bounces@lists.fedoraproject.org] On Behalf Of Stephen Gallagher
Sent: Thursday, June 02, 2011 7:19 AM
To: users@lists.fedoraproject.org
Subject: Re: SSSD (LDAP and Kerberos) to AD

On Tue, 2011-05-31 at 13:58 +0000, Ethan Bonick wrote:
> I am having trouble getting sssd to work properly with LDAP. I am
> using kerberos for passwords and LDAP for identification. I have
> everything working on Ubuntu and CENTOS5 clients not using SSSD so I
> know it works.
>
> Kerberos works just fine and I can get a ticket. LDAP returns nothing,
> debug logs aren't helping me. I have included a copy of my config
> file. We are not using certs on ldap and it shouldn't be required
> since I am using kerberos for authentication.
>
> Thanks,
> Ethan
>
> [sssd]
> config_file_version = 2
> reconnection_retries = 3
> sbus_timeout = 30
> services = nss, pam
> domains = default
>
> [nss]
> filter_groups = root
> filter_users = root, nimda
> reconnection_retries = 3
>
> [pam]
> reconnection_retries = 3
>
> [domain/default]
> auth_provider = krb5
> krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com
> krb5_kdcip = dc1.example.com,dc2.example.com,dc3.example.com
> krb5_realm = example.com
> krb5_server = dc1.example.com,dc2.example.com,dc3.example.com
> chpass_provider = krb5
> cache_credentials = True
>
> id_provider = ldap
> ldap_id_use_start_tls = False
> ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number =
> msSFU30GidNumber ldap_user_principal = userPrincipalName
> ldap_force_upper_case_realm = False ldap_group_gid_number =
> msSFU30GidNumber ldap_uri =
> ldap://dc1.example.com,ldap://dc2.example.com,ldap://dc3.example.com
> ldap_user_home_directory = msSFU30HomeDirectory ldap_user_object_class
> = person ldap_group_object_class = group ldap_group_name = msSFU30Name
> ldap_user_name = msSFU30Name ldap_search_base = dc=example,dc=com
> ldap_default_authtok_type = password ldap_default_bind_dn = cn="Linux
> LDAP",ou=IT,dc=example,dc=com ldap_user_shell = msSFU30LoginShell
> ldap_default_authtok = PASSWORD_GOES_HERE ldap_tls_cacertdir =
> /etc/openldap/cacerts min_id = 10000 max_id = 999999 enumerate = True
> ldap_pwd_policy = none ldap_search = dc=example,dc=com ldap_schema =
> rfc2307bis debug_level = 9
>


First, I'd like to mention that SSSD is not currently the ideal solution for interacting with ActiveDirectory. (Currently, we are implementing a winbind-based provider that should be ready within the next two months).

Second, the user list isn't the best place to get this help. Please open a Bugzilla ticket against the SSSD component and attach your sssd.conf as well as the /etc/sssd/sssd/sssd_default.log to it. We'll get you sorted out.


Join us at the Mobile Event of the Year

Syclo Mobile Conference 2011 | Chicago Mart Plaza | July 13-15

www.syclo.com/smc2011





Copyright 2011. All rights reserved. No portion of this material
may be copied, transmitted, or stored via any electronic media
without the express written permission of Syclo, LLC. This message
is intended exclusively for the individual or entity to which it
is addressed and may contain information that is PROPRIETARY,
CONFIDENTIAL, PRIVILEGED, ATTORNEY WORK PRODUCT or otherwise
legally exempt from disclosure. If you are not the named or
intended recipient, you are not authorized to read, print, retain,
copy, disclose, distribute, use or take any action with regard to
this message or any part of it. If you have received this message
in error please notify the sender immediately by e-mail and delete
all copies of the message. Unless expressly stated in this email,
nothing in this message should be construed as a digital or
electronic signature.

Syclo LLC. Headquarters
1721 Moon Lake Blvd, STE 300, Hoffman Estates, IL 60169

Syclo International Limited is registered in England.
Company Number: 05803809
Registered Address: Clock House, 140 London Road, Guildford, GU1 1UW
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 06:59 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org