> On 10 Aug 2018, at 02:29, Andre Piwoni <apiw...@webmd.net> wrote: > > Hi Jakub, > > Here's my use case: > I'm running Pgpool-II mainly for load balancing requests to PostgreSQL > servers. While PgPool-II supports LDAP(AD) or GSSAPI/Kerberos, which I > have working, I need PgPool authentication which supports LDAP(AD) via > PAM module. PostgreSQL authorization does not utilize LDAP(AD) but > database permissions so LDAP(AD) memberships etc. are not needed. > > cat vi /etc/pam.d/pgpool > #%PAM-1.0 > auth required pam_sss.so > account required pam_sss.so > > In addition to auth_provider now I have configured id_provider to be > LDAP and I managed to get things to work after setting ldap_id_mapping > = true. I'm trying to avoid to join domain which is why I'm using LDAP > for AD. > One thing that I had to do was to configure ldap_default_bind_dn and > ldap_default_authtok, which sucks because I don't want to expose > password for some admin account in file. I should be able to get basic > info about user using provided credentials using simple non-anonymous > bind as I've done in other projects. >
I’m not sure this is permitted by AD by default. I think AD requires you to authenticate in one way or another. > What is odd is that search queries are performed first and than PAM > Authentication with simple bind is done last. > In addition, amount of LDAP queries for my simple case is excessive. > 5 LDAP queries on objectClass=group for memberships even though I set > ldap_group_nesting_level = 0. I have my memberships in memberOf > attribute. This might be https://pagure.io/SSSD/sssd/issue/3425 ? > 1 LDAP query on objectClass=group for ObjectSID > 1 LDAP query for my user info > 2 LDAP queries for other stuff on objectClass=* > > Is there a way to avoid using ldap_default_bind_dn and > ldap_default_authtok for LDAP? For generic LDAP yes, as a matter of fact, this is the default, but the client can only do what the server allows it to do. > If so, does it mean that user to be > authenticated has to have enough permissions to do searches in AD via > LDAP? > > Thank you, > Andre > On Thu, Aug 9, 2018 at 1:19 PM Jakub Hrozek <jhro...@redhat.com> wrote: >> >> On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote: >>> There does not seem to be much documentation how to make >>> authentication work without any extras. All I need is a simple >>> non-anonymous bind using provided credentials without any searches. My >>> understanding is that I don't need NSS for this only PAM with >>> auth_provider set to ldap. However, without id_provider set in >>> sssd.conf SSSD does not start at all. This has been reported as a bug >>> and supposedly have been fixed before SSSD 1.16.0 version that I'm >>> using. I have tried to set id_provider to none but I'm getting some >>> indications in logs that id provider is needed. Is it possible to do >>> simple non-anonymous bind without anything extra, not even chpass? >> >> I'm not sure this is possible. One of the core design decisions of SSSD >> was that a domain ties authentication and identity source -- so you do >> need an id_provider to fetch the identity from somewhere. >> >> That somewhere might not be the same server or not a remote server at >> all, there is also the proxy id_provider that is able to wrap any nss >> module, but there needs to be some ID provider. >> >> What is the use-case you are trying to solve? >> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/BKVIAMB6KYGJTXNECDM5BPHWP3XE4JTG/ > > > > -- > > Andre Piwoni > > Sr. Software Developer, BI/Database > > WebMD Health Services > > Mobile: 801.541.4722 > > www.webmdhealthservices.com > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/765EVHKNCV576BM5T72OVQJMVSKJKBLK/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/MNPV5NUPIIHRGL3PVBM5NEXRUEQMP7CF/