SDS@hd/Access/ID-Mapping: Difference between revisions

From bwHPC Wiki
< SDS@hd‎ | Access
Jump to navigation Jump to search
No edit summary
No edit summary
Line 52: Line 52:
ldap_sasl_canonicalize = false
ldap_sasl_canonicalize = false
krb5_canonicalize = false
krb5_canonicalize = false
</pre>

Revision as of 17:16, 19 August 2022

ID-Mapping

ID-Mapping allows you to map the uidNumbers/gidNumbers of SDS@hd accounts to more descriptive usernames.

If ID-Mapping is not or not correct configured, the ownerships and permissions of files/folders you see in the filesystem, will be incorrect. This could be confusing for users, but nevertheless the permission checking is done correctly on serversite.

Because SSSD is one of the standard tools and it supports more than one ldap/identity provider on a system, we are showing here an example configuration for this tool.

But of course you can use any other mechanism/tool to do the LDAP queries for ID Mapping if you want. The connection to SDS@hd LDAP Server is authenticated with the kerberos keytab of your machine. You can use any tool which supports GSSAPI with kerberos for authentication with the following parameters:

  • uri: ldap://bwservices.uni-heidelberg.de
  • search_base: dc=bwservices,dc=uni-heidelberg.de,dc=de
  • sasl mech: GSSAPI Authentication
  • krb5 Realm: BWSERVICES.UNI-HEIDELBERG.DE


If you don't need a machine keytab, but you still need ID Mapping (e.g. for CIFS Mounts on linux), you can use your Servicepassword to create a user keytab for LDAP authentication.

Example configuration of SSSD

The authentication to SDS@hd is done via kerberos.

If you have setup a working kerberos environment, you have to install the needed packages for kerberos and SSSD, e.g:

  • RedHat/CentOS:
$ yum install sssd-client sssd-krb5 sssd-ldap
  • debian/ubuntu:
$ apt install sssd sssd-krb5 sssd-ldap sssd-tools libnss-sss libsasl2-modules-gssapi-mit

If not existing, create a SSSD configuration file (/etc/sssd/sssd.conf) like this:

[sssd]
            domains = BWSERVICESAD
            config_file_version = 2
            services = nss

[domain/BWSERVICESAD]
            id_provider = ldap
            ldap_uri = ldap://bwservices.uni-heidelberg.de
            ldap_search_base = dc=bwservices,dc=uni-heidelberg,dc=de
            ldap_referrals = false

            ldap_schema = ad
            ldap_id_mapping = true
            min_id = 2000

            ldap_sasl_mech = GSSAPI
            krb5_realm = BWSERVICES.UNI-HEIDELBERG.DE
            ldap_sasl_authid = <HOSTNAME$  or Username>
            ldap_krb5_keytab = <path_to_your_keytab>
            krb5_server = bwservices.uni-heidelberg.de
            ldap_sasl_canonicalize = false
            krb5_canonicalize = false