SSSD (LDAP and Kerberos) to AD



I am having trouble getting sssd to work properly with LDAP. I am using kerberos for passwords and LDAP for identification. I have everything working on Ubuntu and CENTOS5 clients not using SSSD so I know it works.

Kerberos works just fine and I can get a ticket. LDAP returns nothing, debug logs aren't helping me. I have included a copy of my config file. We are not using certs on ldap and it shouldn't be required since I am using kerberos for authentication.

Thanks,
Ethan

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default

[nss]
filter_groups = root
filter_users = root, nimda
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/default]
auth_provider = krb5
krb5_kpasswd = dc1.example.com,dc2.example.com,dc3.example.com
krb5_kdcip = dc1.example.com,dc2.example.com,dc3.example.com
krb5_realm = example.com
krb5_server = dc1.example.com,dc2.example.com,dc3.example.com
chpass_provider = krb5
cache_credentials = True

id_provider = ldap
ldap_id_use_start_tls = False
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_principal = userPrincipalName
ldap_force_upper_case_realm = False
ldap_group_gid_number = msSFU30GidNumber
ldap_uri = ldap://dc1.example.com,ldap://dc2.example.com,ldap://dc3.example.com
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_object_class = person
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_user_name = msSFU30Name
ldap_search_base = dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_bind_dn = cn="Linux LDAP",ou=IT,dc=example,dc=com
ldap_user_shell = msSFU30LoginShell
ldap_default_authtok = PASSWORD_GOES_HERE
ldap_tls_cacertdir = /etc/openldap/cacerts
min_id = 10000
max_id = 999999
enumerate = True
ldap_pwd_policy = none
ldap_search = dc=example,dc=com
ldap_schema = rfc2307bis
debug_level = 9



Join us at the Mobile Event of the Year

Syclo Mobile Conference 2011 | Chicago Mart Plaza | July 13-15

www.syclo.com/smc2011<http://www.syclo.com/smc2011>





Copyright © 2011. All rights reserved. No portion of this material may be copied, transmitted, or stored via any electronic media without the express written permission of Syclo, LLC. This message is intended exclusively for the individual or entity to which it is addressed and may contain information that is PROPRIETARY, CONFIDENTIAL, PRIVILEGED, ATTORNEY WORK PRODUCT or otherwise legally exempt from disclosure. If you are not the named or intended recipient, you are not authorized to read, print, retain, copy, disclose, distribute, use or take any action with regard to this message or any part of it. If you have received this message in error please notify the sender immediately by e-mail and delete all copies of the message. Unless expressly stated in this email, nothing in this message should be construed as a digital or electronic signature.

Syclo LLC. Headquarters
1721 Moon Lake Blvd, STE 300, Hoffman Estates, IL 60169

Syclo International Limited is registered in England.
Company Number: 05803809
Registered Address: Clock House, 140 London Road, Guildford, GU1 1UW
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


Relevant Pages

  • Re: SSSD (LDAP and Kerberos) to AD
    ... using kerberos for passwords and LDAP for identification. ... everything working on Ubuntu and CENTOS5 clients not using SSSD so I ... Kerberos works just fine and I can get a ticket. ... ldap_group_name = msSFU30Name ...
    (Fedora)
  • Re: Authenticating LDAP connection with current windows users credentials?
    ... setup and theory behind an ldap ... The Kerberos only works with ADS right now but that is sufficient for your situation. ... when the user has logged in interactively and therefore has a valid Kerberos ticket cached in Windows logon credential cache. ... CallbackHandler callbackHandler = new KerbCallback; ...
    (comp.lang.java.programmer)
  • Re: Anyone has an apache running with mod_auth_kerb AND mod_auth_ldap?
    ... (Specified realm `persona.de' not allowed by configuration) ... I recommend steering this thread back onto the kerberos mailing list. ... So what you're saying is that users do not know their userPrincipalName ... You could split the name and do an LDAP search on sAMAccountName=abaker ...
    (comp.protocols.kerberos)
  • Re: Kerberos Confusion / Design Questions
    ... > I'm planning on deploying Sun-Kerberos with LDAP I have a few design ... > server via gssapi-keyex SSO and other servers can log back into my ... > that is puzzling me is how to handle Kerberos access, ... > authentication will basically be provided through LDAP at this point ...
    (comp.protocols.kerberos)
  • LDAP+Kerberos in Solaris 8
    ... LDAP & Kerberos clients: ... error No account present for user ... # Authentication management ...
    (SunManagers)