#994 Improve SSSD/AD Documentation
Closed: Fixed None Opened 9 years ago by myllynen.

Currently, SSSD/AD documentation is basically at:

https://fedorahosted.org/sssd/wiki/Configuring%20sssd%20to%20authenticate%20with%20a%20Windows%202008%20Domain%20Server

http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Configuring_Domains.html#id682602

However, those define some options differently and also do not follow developers' suggestions made elsewhere, e.g., in Bugzilla.

I think it would be helpful to get the story straight in the SSSD wiki page, those instructions can be then propagated further to other guide, like Fedora/RHEL Deployment Guide.

I'll follow up with detailed list of issues and open items.


Open issues with the Wiki guide:

  • it suggests allowing anonymous bind, this is usually not possible in enterprise environment (so the example configuration should be amended with the needed options to allow non-anonymous bind)

  • auth_provider different from Fedora Deployment Guide, is ldap or krb5 correct?

  • chpass_provider is ldap, is it more suitable than krb5?

  • it suggests adding Identity Management for Unix Role Service but doesn't use posixAccount as is suggested in https://bugzilla.redhat.com/show_bug.cgi?id=683158#c5

  • offline_credentials_expiration = 1 is unrelated

  • service autodiscovery should be preferred instead of using krb5_kdcip / krb5_realm

  • there are no /etc/pam.d/common-* files on Fedora/RHEL

In general, it should be spelled out clearly what changes are needed on AD side (compared to, e.g., 2008R2 defaults) so that users can be sure that their issues can be solved just by adjusting krb5.conf/sssd.conf on the client side.

Thanks.

Fields changed

cc: => elladeon
milestone: NEEDS_TRIAGE => SSSD 1.5.14

Fields changed

owner: somebody => sgallagh

We need to highlight the fact that AD is not fully supported and list the limitations we have against AD.

I've made some updates, the remaining issues include at least:

  • auth_provider / chpass_provider should be checked

  • need for / use of posixAccount

  • reviewing ldap_user_ / ldap_group_ options

Fields changed

milestone: SSSD 1.5.14 => SSSD 1.7.0

I've updated the SSSD/AD wiki page recently and think that the guide is now comprehensive.

I'll let you to review and fine tune the guide and close this ticket.

Thanks.

We have a wiki page now.

resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @myllynen:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.7.0

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2036

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata