Re: Forward LDAP Auth SASL or SSSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


> On 2 Aug 2022, at 22:11, Axel Tischer <axel.tischer@xxxxxxxxxxx> wrote:
> 
> Hi
> 
> We try to migrate from slapd to 389-dirserver.
> 
> Authentication is only used by our application login, not for system logon.
> 
> We forward our ldap authentication to a central ldap server
> 
> saslauthd:
> 
> ldap_servers
> ldap_bind_dn: cn=binduser,ou=emea,o=services
> ldap_bind_pw: secret
> ldap_search_base: o=auth
> ldap_timeout: 3
> ldap_time_limit: 10
> ldap_filter: (&(objectClass=inetOrgPerson)(uid=%u))
> 
> sasl2/slapd:
> mech_list: plain
> pwcheck_method: saslauthd
> saslauthd_path: /run/sasl2/mux
> 
> and sysconfig/saslauthd
> SASLAUTHD_AUTHMECH=ldap
> 
> And a simple user attribute:     userpassword: {SASL}johndoe
> 
> It would be great it saslauthd is supported in 389-DS, but I fear it isn't.

Yeah, we don't support saslauthd. 

> 
> I wonder how to configure 389-ds to use this simple LDAP auth forwarding. I could not find anything about this in the docs (or I'm too dumb..). I tried sssd but no luck yet, reconfiguration of PAM is not allowed....

389-ds can forward to an external auth system via pam, so you are going to need to add a new pam service that 389-ds can send binds through. You may not need to reconfigure pam though to achieve it depending on your setup. 

> It would be grateful to get a working example ( like the one above)

Have a look for pam pass through authentication in the 389-ds docs :) 

> 
> Thanx
> 
> 
> 
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux