Hi all! As far as I can tell the option 'ldap_sasl_mech = gssapi' in sssd.conf always makes LDAP use a Kerberos keytab for LDAP searches. As far as I can tell there is no way to use the users Kerberos credentials? I think this design comes from how Windows does it with AD?
I would like to use the Kerberos credentials of the user who has just logged-in instead. Maybe I'm somewhat paranoid or missing something but I'm not really comfortable with hundreds of hosts / machines with keytabs on them which give access to LDAP. Extracting that keytab from a machine is not that hard I think. I think in most use-cases the user only needs to be able to see LDAP entries (ie. other users with privacy sensitive information like names and other GDPR problematic data) which LDAP ACI's allow them. Is there currently a way to configure SSSD in such a way? Kind regards, Jasper _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
