Re: LDAP authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



see below sssd.conf file, which works for the installation here.



[root@myws ~]# cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
# Number of times services should attempt to reconnect in the
# event of a crash or restart before they give up
reconnection_retries = 3
# if a backend is particularly slow you can raise this timeout here
sbus_timeout = 30
services = nss, pam
# domains = LOCAL,LDAP
# SSSD will not start if you don't configure any domain.
# Add new domains condifgurations as [domain/<NAME>] sections.
# Then add the list of domains (in the order you want them to be
# queried in the 'domains" attribute above and uncomment it


domains = LDAP
[nss]
# the following prevents sssd for searching for the root user/group in
# all domains (you can add here a comma separated list of system 
accounts are
# always going to be /etc/passwd users, or that you want to filter out)
filter_groups = root
filter_users = root
reconnection_retries = 3

# The EntryCacheTimeout indicates the number of seconds to retain before
# an entry in cache is considered stale and must block to refresh.
# The EntryCacheNoWaitRefreshTimeout indicates the number of seconds to
# wait before updating the cache out-of-band. (NSS requests will still
# be returned from cache until the full EntryCacheTimeout). Setting this
# value to 0 turns this feature off (default)
# entry_cache_timeout = 600
# entry_cache_nowait_timeout = 300

[pam]
reconnection_retries = 3

# Example LOCAL domain that stores all users natively in the SSSD internal
# directory. These local users and groups are not visibile in 
/etc/passwd, it
# now contains only root and system accounts.
# [domain/LOCAL]
# description = LOCAL Users domain
# id_provider = local
# enumerate = true
# min_id = 500
# max_id = 999

# Example native LDAP domain
[domain/LDAP]
min_id = 50
ldap_tls_reqcert = never
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldapadmin.mydomain.com/
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
ldap_user_search_base = ou=people,ou=pam-ldap,dc=mydomain,dc=com
ldap_group_search_base = ou=group,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
ldap_default_authtok = password-for-above-DN
# ldap_tls_reqcert = demand
#cache_credentials = true
enumerate = true

# Example LDAP domain where the LDAP server is an Active Directory server.

# [domain/AD]
# description = LDAP domain with AD server
# enumerate = false
# min_id = 1000
#
# id_provider = ldap
# auth_provider = ldap
# ldap_uri = ldap://your.ad.server.com
# ldap_schema = rfc2307bis
# ldap_user_search_base = cn=users,dc=example,dc=com
# ldap_group_search_base = cn=users,dc=example,dc=com
# ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
# ldap_default_authtok_type = password
# ldap_default_authtok = YOUR_PASSWORD
# ldap_user_object_class = person
# ldap_user_name = msSFU30Name
# ldap_user_uid_number = msSFU30UidNumber
# ldap_user_gid_number = msSFU30GidNumber
# ldap_user_home_directory = msSFU30HomeDirectory
# ldap_user_shell = msSFU30LoginShell
# ldap_user_principal = userPrincipalName
# ldap_group_object_class = group
# ldap_group_name = msSFU30Name
# ldap_group_gid_number = msSFU30GidNumber
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=pam-ldap,dc=mydomain,dc=com
krb5_realm = EXAMPLE.COM
chpass_provider = ldap
id_provider = ldap
auth_provider = ldap
ldap_default_bind_dn = cn=pam-ldap-checker,ou=pam-ldap,dc=mydomain,dc=com
debug_level = 0
min_id = 500
ldap_uri = ldap://ldap.mydomain.com <br /> krb5_kdcip = kerberos.example.com
ldap_default_authtok = password-for-above-DN
ldap_tls_cacertdir = /etc/openldap/cacerts

[root@myws ~]#

suomi

On 2011-01-17 15:27, Luc MAIGNAN wrote:
> Hi,
>
> I want to use openLDAP to authenticate users to log-in.
>
> In the previous versions of Fedora, I just use system-config-auth but it
> doesn't seem to work in F14.
>
> Has someone a good and pretty HOWTO to explain how to do this ?
>
> BR
>
> Luc
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux