Sds-hd idmapping: Difference between revisions

From bwHPC Wiki
Jump to navigation Jump to search
No edit summary
Line 11: Line 11:
=== Example configuration of SSSD ===
=== Example configuration of SSSD ===


The authentication to SDS@hd is done via kerberos. So first install the needed packages for kerberos and SSSD, e.g:
The authentication to SDS@hd is done via kerberos.

If you have setup a working [[Sds-hd_kerberos|kerberos environment]], you have to install the needed packages for kerberos and SSSD, e.g:


* RedHat/CentOS:
* RedHat/CentOS:

Revision as of 10:45, 24 April 2020

SDS@hd ID-Mapping

ID-Mapping allows you to map the uidNumbers/gidNumbers of SDS@hd accounts to more descriptive usernames.

If ID-Mapping is not or not correct configured, the ownerships and permissions of files/folders you see in the filesystem, will be incorrect. This could be confusing for users, but nevertheless the permission checking is done correctly on serversite.

Because SSSD is one of the standard tools and it supports more than one ldap/identity provider on a system, we are showing here an example configuration for this tool.

Of course you can use any other mechanism/tool to do the LDAP queries for ID Mapping if you want.

Example configuration of SSSD

The authentication to SDS@hd is done via kerberos.

If you have setup a working kerberos environment, you have to install the needed packages for kerberos and SSSD, e.g:

  • RedHat/CentOS:
> yum install sssd-client sssd-krb5 sssd-ldap
  • debian/ubuntu:
> apt install sssd sssd-krb5 sssd-ldap sssd-tools libnss-sss libsasl2-modules-gssapi-mit

If not existing, create a SSSD configuration file (/etc/sssd/sssd.conf) like this:

[sssd]
            domains = BWSERVICESAD
            config_file_version = 2
            services = nss

[domain/BWSERVICESAD]
            id_provider = ldap
            ldap_uri = ldap://bwservices.uni-heidelberg.de
            ldap_search_base = dc=bwservices,dc=uni-heidelberg,dc=de
            ldap_referrals = false

            ldap_schema = ad
            ldap_id_mapping = true
            min_id = 100000

            ldap_sasl_mech = GSSAPI
            krb5_realm = BWSERVICES.UNI-HEIDELBERG.DE
            ldap_sasl_authid = <HOSTNAME>$
            ldap_krb5_keytab = /etc/krb5.keytab
            krb5_server = bwservices.uni-heidelberg.de
            ldap_sasl_canonicalize = false
            krb5_canonicalize = false

            use_fully_qualified_names = true
            full_name_format = %3$s\%1$s

            re_expression = (((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$)))	 
            enumerate = false

Attention: Don't forget to change "ldap_sasl_authid" to the Hostname coresponding in your keytab file!

If you are allready using another service for authentication or name resolution on the machine, an additional domain block can be set up for this and has to be added to the line "domains".

To enable SSSD for ID-Mapping in your system the lines "passwd" and "group" in file "/etc/nsswitch.conf" have to be extended by "sss", e.g.:

        passwd: compat sss
        group: compat sss

Note: If you are using sssd you should not use "nscd" in parallel! Otherwise this could lead to undefined behaviour due to double caching passwd and group entries.

After configuring SSSD you should enable and restart the service, e.g.:

systemctl enable sssd.service 
systemctl restart sssd.service