[Freeipa-users] LDAP authentication into FreeIPA
Sigbjorn Lie
sigbjorn at nixtra.com
Thu Nov 17 21:47:54 UTC 2011
On 11/16/2011 01:09 PM, Stephen Gallagher wrote:
> On Tue, 2011-11-15 at 16:51 -0500, Boris Epstein wrote:
>> >
>> >
>> >
>> >
>> > Just tried to install sssd from the above repo.
>> >
>> > There's only packages for the old 10.04 lucid and
>> > 10.10 maverick, nothing for 11.04 natty or 11.11
>> > oneiric. I tried to install on natty using packages
>> > from maverick, but it depends on packages no longer
>> > available in the natty package tree. :(
>> >
>> > However for oneric sssd 1.5.13 seem to have made it
>> > into the universe package tree:
>> > http://packages.ubuntu.com/oneiric/sssd
>> >
>> >
>> >
>> > Rgds,
>> > Siggi
>> >
>> >
>> > Siggi,
>> >
>> >
>> > Thanks, but why would I want sssd on my client machine?
>> >
>> >
>> > Or - why would the current LDAP client that Ubuntu at least
>> > claims to have not work?
>> >
>> >
>>
>>
>> The reasons I've found so far is:
>>
>> * Lack of support for the host based access control rules
>> found in IPA
>> * Need to have the config file with a username/password for
>> the system to bind to the ldap directory readable by
>> everyone... (not secure)
>> * SSSD uses the kerberos host key to talk to LDAP (secure)
>> * No daemon keeping track of available ldap servers, e.g. in a
>> failover situation you'll keep asking the server that's down,
>> delaying your client response.
>> * No offline caching of credentials (very handy if you have
>> laptops).
>>
>> I'm sure the SSSD developers can give you lots more. :)
>
> I think you've hit most of the major points. The less-obvious one is
> that at it reduces load on the LDAP server as well, since all
> communications come from a single connection in the SSSD, whereas with
> traditional nss_ldap, each client application would be holding its own
> connection.
>
>
>> Siggi,
>>
>>
>> Thanks, all of those are valid. I just installed sssd on an Ubuntu
>> machine here, may end up using it.
>>
>>
>> But from what you are saying it still sounds like the existing LDAP
>> client on Ubuntu ought to still work, even if in a less than secure
>> fashion. And it doesn't seem to.
> I've seen people successfully configure pam_ldap and pam_krb5 on Ubuntu
> before, so I know it's possible. I assume you have a configuration bug.
> I don't know where Ubuntu keeps its config, so I can't easily help you
> there.
>
See my previous postings to the list for details. Below is what should
be a complete list of files that need modifications. They are self
explanatory, with syntax provided in the default file.
Various LDAP config files. I've symlinked all these config files into
/etc/ldap.conf and set all settings there.
/etc/ldap.conf
/etc/ldap/ldap.conf
/etc/libnss-ldap.conf
/etc/pam_ldap.conf
/etc/sudo-ldap.conf
Kerberos:
/etc/krb5.conf
automount :
/etc/autofs_ldap_auth.conf
/etc/default/autofs
If you want nfs4+krb5, you'll need to edit these as well:
/etc/default/nfs-common
/etc/idmapd.conf
For making some apps such as thunderbird not crash with nss_ldap,
install nscd.
/etc/nscd.conf
Modify sshd_config and ssh_config to use GSSAPI, and to delegate
credentials to hosts on your network:
/etc/ssh/sshd_config
/etc/ssh/ssh_config
ntp:
/etc/ntp.conf
Remember to make a copy of /etc/ipa/ca.crt from the IPA server to the
Ubuntu machine to make SSL connections to the LDAP server.
And that should be all the files you need to edit (besides nsswitch.conf
and perhaps resolv.conf). If you want the automount to work fully,
you'll have to do a workaround for fixing the race condition that often
occur at bootup, as the network is not always up when the automounter
starts.
Rgds,
Siggi
More information about the Freeipa-users
mailing list