#805 RFE: support different realm for GSSAPI and user authentication
Closed: Invalid None Opened 13 years ago by sbose.

Currently the LDAP ID provider and the KRB5 authentication provider use the same option krb5_realm to specify the Kerberos realm. For typical setups this is sufficient and keeps the list of necessary config option small. In more complex setup, like a cloud environment, it might be necessary to support different realms.

I would like to suggest to add a new config option for the LDAP provider, ldap_krb5_realm which defaults to krb5_realm.


Ticket #781 may be relevant here. The idea is that we would specify the full principal in the keytab, rather than constructing it from {{{host/<hostname>@REALM}}}.

This is probably less error-prone.

Sorry, I meant ticket #700 above, but both are relevant.

To force a specific principal to use with the ldap driver we already have the ldap_sasl_authid option.

So I would say: INVALID :-)

I agree, but the drawback here is that ldap_sasl_authid will be different on every client. For automatic installations or central configuration management it would be more convenient to have a more generic way to construct the principal. Maybe we can allow templates in ldap_sasl_authid.

Replying to [comment:4 sbose]:

I agree, but the drawback here is that ldap_sasl_authid will be different on every client. For automatic installations or central configuration management it would be more convenient to have a more generic way to construct the principal. Maybe we can allow templates in ldap_sasl_authid.

The right way is #781, or not construct anything and pick directly from the keytab where you already have the right and the only usable key.

Replying to [comment:5 simo]:

Replying to [comment:4 sbose]:

I agree, but the drawback here is that ldap_sasl_authid will be different on every client. For automatic installations or central configuration management it would be more convenient to have a more generic way to construct the principal. Maybe we can allow templates in ldap_sasl_authid.

The right way is #781, or not construct anything and pick directly from the keytab where you already have the right and the only usable key.

ok, since we have ldap_krb5_keytab it would always be possible to specify a keytab where only the needed entry is stored. I will close the ticket.

resolution: => invalid
status: new => closed

Fields changed

rhbz: => 0

Fields changed

milestone: NEEDS_TRIAGE => void

Metadata Update from @sbose:
- Issue set to the milestone: void

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1847

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata