[ale] RHEL 6 authenticate against LDAP?

Jim Kinney jim.kinney at gmail.com
Sat Jun 7 10:20:06 EDT 2014


Hmm. As much as it pains me to say this, sssd can use AD as the master auth
process. Unless AD admin provides an access id  with write ability,
password changes will have to occur on AD and then propagate to IPA.
On Jun 6, 2014 4:30 PM, "James Sumners" <james.sumners at gmail.com> wrote:

> Well, the only reason I'm messing with the SSSD stuff is because it
> sounded like that's the "way of the future" starting with RHEL6. The other
> configuration you describe is how I'm doing it on RHEL5.
>
> I can see the benefit of using synchronized UID/GIDs with AD, but that's
> not how our AD is setup, and I don't administer that.
>
> So, to be clear, you do not think I can do what I want to do using SSSD?
>
>
> On Fri, Jun 6, 2014 at 3:57 PM, Jim Kinney <jim.kinney at gmail.com> wrote:
>
>> It should be possible to use  LDAP for auth only. You will need to tell
>> your system to use ldap for user auth in nsswitch (files ldap - instead of
>> files sssd) and then setup the ldap connection in /etc/openldap.conf. Also
>> good to use nslcd to cache ldap queries.
>>
>> SSSD is a beast but worth the pain on jumping in. It provides a way to do
>> AD one better (or more). Synchronized UID/GID is a good thing especially
>> when running NFS mounts all over the place. RHEL IdM is basically FreeIPA
>> from some time back. Multimaster LDAP is nicely done. Some other goodies
>> include ssh login with LDAP as key holder :-) User posts pub key to IPA web
>> page and it's checked on ssh access for keys and magic happens. It also
>> provides a management tool for sudo rules and other goodies.
>>
>>
>> On Fri, Jun 6, 2014 at 2:17 PM, James Sumners <james.sumners at gmail.com>
>> wrote:
>>
>>> Does anyone here know how, or if it is even possible, to simply
>>> _authenticate_ against an LDAP server (really, and Active Directory
>>> server)? By that I mean the user's credentials, username and password, are
>>> verified against the LDAP server but all other account information is
>>> provided by a traditional local account.
>>>
>>> I have this configuration working in RHEL5, but RHEL6 introduced this
>>> SSSD garbage and it is requiring the UID/GID to come from the remote LDAP
>>> server. I do not want that to happen.
>>>
>>> I have attached my sssd.conf and a debug log of the SSSD server starting
>>> up and trying to process one login attempt. The failure starts around line
>>> 447 in the log file.
>>>
>>> --
>>> James Sumners
>>> http://james.roomfullofmirrors.com/
>>>
>>> "All governments suffer a recurring problem: Power attracts pathological
>>> personalities. It is not that power corrupts but that it is magnetic to the
>>> corruptible. Such people have a tendency to become drunk on violence, a
>>> condition to which they are quickly addicted."
>>>
>>> Missionaria Protectiva, Text QIV (decto)
>>> CH:D 59
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> --
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his own
>> tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>>
>> *http://heretothereideas.blogspot.com/
>> <http://heretothereideas.blogspot.com/>*
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>
>
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts pathological
> personalities. It is not that power corrupts but that it is magnetic to the
> corruptible. Such people have a tendency to become drunk on violence, a
> condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140607/9226105d/attachment.html>


More information about the Ale mailing list