Tuesday, August 2, 2022

[389-users] Re: Forward LDAP Auth SASL or SSSD

> On 2 Aug 2022, at 22:11, Axel Tischer <axel.tischer@anaxmail.de> wrote:
>
> Hi
>
> We try to migrate from slapd to 389-dirserver.
>
> Authentication is only used by our application login, not for system logon.
>
> We forward our ldap authentication to a central ldap server
>
> saslauthd:
>
> ldap_servers
> ldap_bind_dn: cn=binduser,ou=emea,o=services
> ldap_bind_pw: secret
> ldap_search_base: o=auth
> ldap_timeout: 3
> ldap_time_limit: 10
> ldap_filter: (&(objectClass=inetOrgPerson)(uid=%u))
>
> sasl2/slapd:
> mech_list: plain
> pwcheck_method: saslauthd
> saslauthd_path: /run/sasl2/mux
>
> and sysconfig/saslauthd
> SASLAUTHD_AUTHMECH=ldap
>
> And a simple user attribute: userpassword: {SASL}johndoe
>
> It would be great it saslauthd is supported in 389-DS, but I fear it isn't.

Yeah, we don't support saslauthd.

>
> I wonder how to configure 389-ds to use this simple LDAP auth forwarding. I could not find anything about this in the docs (or I'm too dumb..). I tried sssd but no luck yet, reconfiguration of PAM is not allowed....

389-ds can forward to an external auth system via pam, so you are going to need to add a new pam service that 389-ds can send binds through. You may not need to reconfigure pam though to achieve it depending on your setup.

> It would be grateful to get a working example ( like the one above)

Have a look for pam pass through authentication in the 389-ds docs :)

>
> Thanx
>
>
>
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--
Sincerely,

William Brown

Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment