well saslauthd has to do with the SASL layer itself not the LDAP server itself
It can work but what it does is not related to SSSD at all.
essentially it is used to translate between one sasl auth mech and an
other its primarily for backwards compatibility. for example a common
use case for saslauthd tis o translate PLAIN auth requests on the
client end to KERBEROS auth requests for older LDAP2 clients..It has
nothing to do with authenticating for an OS at the pam layer which is
what SSSD does.
That said this was a big concern in the late 199x's and 200x's but
should not be now, if you are using a library in your application that
only supports plain you should not be using it. and if it is a web
application you should consider using something like Keycloak as a
broker to support OpenID-Connect or SAML auth.
On Tue, Aug 2, 2022 at 8:10 PM William Brown <william.brown@suse.com> wrote:
>
>
>
> > On 2 Aug 2022, at 22:11, Axel Tischer <axel.tischer@anaxmail.de> wrote:
> >
> > Hi
> >
> > We try to migrate from slapd to 389-dirserver.
> >
> > Authentication is only used by our application login, not for system logon.
> >
> > We forward our ldap authentication to a central ldap server
> >
> > saslauthd:
> >
> > ldap_servers
> > ldap_bind_dn: cn=binduser,ou=emea,o=services
> > ldap_bind_pw: secret
> > ldap_search_base: o=auth
> > ldap_timeout: 3
> > ldap_time_limit: 10
> > ldap_filter: (&(objectClass=inetOrgPerson)(uid=%u))
> >
> > sasl2/slapd:
> > mech_list: plain
> > pwcheck_method: saslauthd
> > saslauthd_path: /run/sasl2/mux
> >
> > and sysconfig/saslauthd
> > SASLAUTHD_AUTHMECH=ldap
> >
> > And a simple user attribute: userpassword: {SASL}johndoe
> >
> > It would be great it saslauthd is supported in 389-DS, but I fear it isn't.
>
> Yeah, we don't support saslauthd.
>
> >
> > I wonder how to configure 389-ds to use this simple LDAP auth forwarding. I could not find anything about this in the docs (or I'm too dumb..). I tried sssd but no luck yet, reconfiguration of PAM is not allowed....
>
> 389-ds can forward to an external auth system via pam, so you are going to need to add a new pam service that 389-ds can send binds through. You may not need to reconfigure pam though to achieve it depending on your setup.
>
> > It would be grateful to get a working example ( like the one above)
>
> Have a look for pam pass through authentication in the 389-ds docs :)
>
> >
> > Thanx
> >
> >
> >
> > _______________________________________________
> > 389-users mailing list -- 389-users@lists.fedoraproject.org
> > To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> > Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
> --
> Sincerely,
>
> William Brown
>
> Senior Software Engineer,
> Identity and Access Management
> SUSE Labs, Australia
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment