Learn more about these different git repos.
Other Git URLs
Currently the LDAP ID provider and the KRB5 authentication provider use the same option krb5_realm to specify the Kerberos realm. For typical setups this is sufficient and keeps the list of necessary config option small. In more complex setup, like a cloud environment, it might be necessary to support different realms.
I would like to suggest to add a new config option for the LDAP provider, ldap_krb5_realm which defaults to krb5_realm.
Ticket #781 may be relevant here. The idea is that we would specify the full principal in the keytab, rather than constructing it from {{{host/<hostname>@REALM}}}.
This is probably less error-prone.
Sorry, I meant ticket #700 above, but both are relevant.
To force a specific principal to use with the ldap driver we already have the ldap_sasl_authid option.
So I would say: INVALID :-)
I agree, but the drawback here is that ldap_sasl_authid will be different on every client. For automatic installations or central configuration management it would be more convenient to have a more generic way to construct the principal. Maybe we can allow templates in ldap_sasl_authid.
Replying to [comment:4 sbose]:
The right way is #781, or not construct anything and pick directly from the keytab where you already have the right and the only usable key.
Replying to [comment:5 simo]:
Replying to [comment:4 sbose]: I agree, but the drawback here is that ldap_sasl_authid will be different on every client. For automatic installations or central configuration management it would be more convenient to have a more generic way to construct the principal. Maybe we can allow templates in ldap_sasl_authid. The right way is #781, or not construct anything and pick directly from the keytab where you already have the right and the only usable key.
ok, since we have ldap_krb5_keytab it would always be possible to specify a keytab where only the needed entry is stored. I will close the ticket.
resolution: => invalid status: new => closed
Fields changed
rhbz: => 0
milestone: NEEDS_TRIAGE => void
Metadata Update from @sbose: - Issue set to the milestone: void
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1847
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.