[ale] RHEL 6 authenticate against LDAP?

Jim Kinney jim.kinney at gmail.com
Fri Jun 6 15:57:17 EDT 2014


It should be possible to use  LDAP for auth only. You will need to tell
your system to use ldap for user auth in nsswitch (files ldap - instead of
files sssd) and then setup the ldap connection in /etc/openldap.conf. Also
good to use nslcd to cache ldap queries.

SSSD is a beast but worth the pain on jumping in. It provides a way to do
AD one better (or more). Synchronized UID/GID is a good thing especially
when running NFS mounts all over the place. RHEL IdM is basically FreeIPA
from some time back. Multimaster LDAP is nicely done. Some other goodies
include ssh login with LDAP as key holder :-) User posts pub key to IPA web
page and it's checked on ssh access for keys and magic happens. It also
provides a management tool for sudo rules and other goodies.


On Fri, Jun 6, 2014 at 2:17 PM, James Sumners <james.sumners at gmail.com>
wrote:

> Does anyone here know how, or if it is even possible, to simply
> _authenticate_ against an LDAP server (really, and Active Directory
> server)? By that I mean the user's credentials, username and password, are
> verified against the LDAP server but all other account information is
> provided by a traditional local account.
>
> I have this configuration working in RHEL5, but RHEL6 introduced this SSSD
> garbage and it is requiring the UID/GID to come from the remote LDAP
> server. I do not want that to happen.
>
> I have attached my sssd.conf and a debug log of the SSSD server starting
> up and trying to process one login attempt. The failure starts around line
> 447 in the log file.
>
> --
> James Sumners
> http://james.roomfullofmirrors.com/
>
> "All governments suffer a recurring problem: Power attracts pathological
> personalities. It is not that power corrupts but that it is magnetic to the
> corruptible. Such people have a tendency to become drunk on violence, a
> condition to which they are quickly addicted."
>
> Missionaria Protectiva, Text QIV (decto)
> CH:D 59
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain


*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140606/b0460041/attachment.html>


More information about the Ale mailing list