<p dir="ltr">Hmm. As much as it pains me to say this, sssd can use AD as the master auth process. Unless AD admin provides an access id with write ability, password changes will have to occur on AD and then propagate to IPA.</p>
<div class="gmail_quote">On Jun 6, 2014 4:30 PM, "James Sumners" <<a href="mailto:james.sumners@gmail.com">james.sumners@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Well, the only reason I'm messing with the SSSD stuff is because it sounded like that's the "way of the future" starting with RHEL6. The other configuration you describe is how I'm doing it on RHEL5.<div>
<br></div><div>I can see the benefit of using synchronized UID/GIDs with AD, but that's not how our AD is setup, and I don't administer that.</div><div><br></div><div>So, to be clear, you do not think I can do what I want to do using SSSD?</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Jun 6, 2014 at 3:57 PM, Jim Kinney <span dir="ltr"><<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>It should be possible to use LDAP for auth only. You will need to tell your system to use ldap for user auth in nsswitch (files ldap - instead of files sssd) and then setup the ldap connection in /etc/openldap.conf. Also good to use nslcd to cache ldap queries.<br>
<br></div>SSSD is a beast but worth the pain on jumping in. It provides a way to do AD one better (or more). Synchronized UID/GID is a good thing especially when running NFS mounts all over the place. RHEL IdM is basically FreeIPA from some time back. Multimaster LDAP is nicely done. Some other goodies include ssh login with LDAP as key holder :-) User posts pub key to IPA web page and it's checked on ssh access for keys and magic happens. It also provides a management tool for sudo rules and other goodies.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div>On Fri, Jun 6, 2014 at 2:17 PM, James Sumners <span dir="ltr"><<a href="mailto:james.sumners@gmail.com" target="_blank">james.sumners@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr">Does anyone here know how, or if it is even possible, to simply _authenticate_ against an LDAP server (really, and Active Directory server)? By that I mean the user's credentials, username and password, are verified against the LDAP server but all other account information is provided by a traditional local account.<div>
<br></div><div>I have this configuration working in RHEL5, but RHEL6 introduced this SSSD garbage and it is requiring the UID/GID to come from the remote LDAP server. I do not want that to happen.</div><div><br></div><div>
I have attached my sssd.conf and a debug log of the SSSD server starting up and trying to process one login attempt. The failure starts around line 447 in the log file.</div><span><font color="#888888"><div>
<div><br></div>-- <br>James Sumners<br><a href="http://james.roomfullofmirrors.com/" target="_blank">http://james.roomfullofmirrors.com/</a><br>
<br>"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted."<br>
<br>Missionaria Protectiva, Text QIV (decto)<br>CH:D 59
</div></font></span></div>
<br></div></div>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><span><font color="#888888"><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</font></span></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>James Sumners<br><a href="http://james.roomfullofmirrors.com/" target="_blank">http://james.roomfullofmirrors.com/</a><br><br>"All governments suffer a recurring problem: Power attracts pathological personalities. It is not that power corrupts but that it is magnetic to the corruptible. Such people have a tendency to become drunk on violence, a condition to which they are quickly addicted."<br>
<br>Missionaria Protectiva, Text QIV (decto)<br>CH:D 59
</div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div>