Re: Forward LDAP Auth SASL or SSSD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



well saslauthd has to do with the SASL layer itself not the LDAP server itself
It can work but what it does is not related to SSSD at all.
essentially it is used to translate between one sasl auth mech and an
other its primarily for backwards compatibility. for example a common
use case for saslauthd tis o translate PLAIN auth requests on the
client end to KERBEROS auth requests for older LDAP2 clients..It has
nothing to do with authenticating for an OS at the pam layer which is
what SSSD does.

That said this was a big concern in the late 199x's and 200x's but
should not be now, if you are using a library in your application that
only supports plain you should not be using it. and if it is a web
application you should consider using something like Keycloak as a
broker to support OpenID-Connect or SAML auth.


On Tue, Aug 2, 2022 at 8:10 PM William Brown <william.brown@xxxxxxxx> wrote:
>
>
>
> > On 2 Aug 2022, at 22:11, Axel Tischer <axel.tischer@xxxxxxxxxxx> wrote:
> >
> > Hi
> >
> > We try to migrate from slapd to 389-dirserver.
> >
> > Authentication is only used by our application login, not for system logon.
> >
> > We forward our ldap authentication to a central ldap server
> >
> > saslauthd:
> >
> > ldap_servers
> > ldap_bind_dn: cn=binduser,ou=emea,o=services
> > ldap_bind_pw: secret
> > ldap_search_base: o=auth
> > ldap_timeout: 3
> > ldap_time_limit: 10
> > ldap_filter: (&(objectClass=inetOrgPerson)(uid=%u))
> >
> > sasl2/slapd:
> > mech_list: plain
> > pwcheck_method: saslauthd
> > saslauthd_path: /run/sasl2/mux
> >
> > and sysconfig/saslauthd
> > SASLAUTHD_AUTHMECH=ldap
> >
> > And a simple user attribute:     userpassword: {SASL}johndoe
> >
> > It would be great it saslauthd is supported in 389-DS, but I fear it isn't.
>
> Yeah, we don't support saslauthd.
>
> >
> > I wonder how to configure 389-ds to use this simple LDAP auth forwarding. I could not find anything about this in the docs (or I'm too dumb..). I tried sssd but no luck yet, reconfiguration of PAM is not allowed....
>
> 389-ds can forward to an external auth system via pam, so you are going to need to add a new pam service that 389-ds can send binds through. You may not need to reconfigure pam though to achieve it depending on your setup.
>
> > It would be grateful to get a working example ( like the one above)
>
> Have a look for pam pass through authentication in the 389-ds docs :)
>
> >
> > Thanx
> >
> >
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux