On Sun, Nov 24, 2019 at 06:07:06PM -0000, Oscar Torrente wrote: > Hello. > > I'm using a LDAP server for authentication/identification of users. I've set > its ACIs so that every user just can access to its own data But now I have a > problem in sssd clients: I should put the correct ldap_default_bind_dn value > to make the request, a value which should be dynamic as it's typed on > gdm/login/ssh/whatever. How can I do that? I don't want to write the admin's > cn (and password!) in client's sssd.conf files!
Hi, this won't work mainly because e.g. sshd will try to lookup the user in LDAP before you are prompted for the password and if the user cannot be found authentication will fail. You do no have to use the admin DN here, it would be sufficient to have a service account which can read the needed RFC2307 or RFC2307bis attributes from the users and groups. bye, Sumit > Thanks!! > > P.S: I've asked the same topic in > https://serverfault.com/questions/993030/how-to-have-a-dynamic-ldap-default-bind-dn-value-in-sssd-conf > but sadly there's no answer.... > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org