Sds-hd idmapping: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
S Richling (talk | contribs) (Redirected page to SDS@hd) Tag: New redirect |
||
(10 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
#REDIRECT [[SDS@hd]] |
|||
ID-Mapping allows you to map the uidNumbers/gidNumbers of SDS@hd accounts to more descriptive usernames. |
|||
If ID-Mapping is not or not correct configured, the ownerships and permissions of files/folders you see in the filesystem, will be incorrect. This could be confusing for users, but nevertheless the permission checking is done correctly on serversite. |
|||
Because [https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_domains SSSD] is one of the standard tools and it supports more than one ldap/identity provider on a system, we are showing here an example configuration for this tool. |
|||
Of course you can use any other mechanism/tool to do the LDAP queries for ID Mapping if you want. |
|||
=== Example configuration of SSSD === |
|||
The authentication to SDS@hd is done via kerberos. So first install the needed packages for kerberos and SSSD, e.g: |
|||
* RedHat/CentOS: |
|||
<pre>> yum install sssd-client sssd-krb5 sssd-ldap</pre> |
|||
* debian/ubuntu: |
|||
<pre>> apt install sssd sssd-krb5 sssd-ldap sssd-tools libnss-sss libsasl2-modules-gssapi-mit</pre> |
|||
If not existing, create a SSSD configuration file (/etc/sssd/sssd.conf) like this: |
|||
<pre> |
|||
[sssd] |
|||
domains = BWSERVICESAD |
|||
config_file_version = 2 |
|||
services = nss |
|||
[domain/BWSERVICESAD] |
|||
id_provider = ldap |
|||
ldap_uri = ldap://bwservices.uni-heidelberg.de |
|||
ldap_search_base = dc=bwservices,dc=uni-heidelberg,dc=de |
|||
ldap_referrals = false |
|||
ldap_schema = ad |
|||
ldap_id_mapping = true |
|||
min_id = 100000 |
|||
ldap_sasl_mech = GSSAPI |
|||
krb5_realm = BWSERVICES.UNI-HEIDELBERG.DE |
|||
ldap_sasl_authid = <HOSTNAME>$ |
|||
ldap_krb5_keytab = /etc/krb5.keytab |
|||
krb5_server = bwservices.uni-heidelberg.de |
|||
ldap_sasl_canonicalize = false |
|||
krb5_canonicalize = false |
|||
use_fully_qualified_names = true |
|||
full_name_format = %3$s\%1$s |
|||
re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))) |
|||
enumerate = false |
|||
</pre> |
|||
<span style="color:red">Attention: </span> '''Don't forget to change "ldap_sasl_authid" to the Hostname coresponding in your keytab file!''' |
|||
If you are allready using another service for authentication or name resolution on the machine, an additional domain block can be set up for this and has to be added to the line "domains". |
|||
To enable SSSD for ID-Mapping in your system the lines "passwd" and "group" in file "/etc/nsswitch.conf" have to be extended by "sss", e.g.: |
|||
<pre> |
|||
passwd: compat sss |
|||
group: compat sss |
|||
</pre> |
|||
'''Note''': If you are using sssd you should not use "nscd" in parallel! Otherwise this could lead to undefined behaviour due to double caching passwd and group entries. |
|||
After configuring SSSD you should enable and restart the service, e.g.: |
|||
<pre> |
|||
systemctl enable sssd.service |
|||
systemctl restart sssd.service |
|||
</pre> |
Latest revision as of 17:07, 19 August 2022
Redirect to: