[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    Re: [SSSD-users] Using separate ldap servers for authentication and auto mount information
From:       Jakub Hrozek <jhrozek () redhat ! com>
Date:       2015-03-27 15:42:44
Message-ID: 20150327154244.GP10622 () hendrix ! redhat ! com
[Download RAW message or body]

On Fri, Mar 27, 2015 at 02:25:48PM +0100, Michael Ströder wrote:
> Matt John wrote:
> >For a bit more context we are in a university environment where central IT
> >hold users passwords. Our department then has it's own ldap server for storing
> >linux home directory mount information and the groups. In an ideal scenario
> >our ldap server would be checked first and if authentication fails the central
> >IT ldap server should be queried.
> 
> Password authentication is *not* getent passwd.
> 
> If all your posixAccount user entries are in your own "autofs" directory I'd
> look into simply chaining the password checking to the central LDAP
> directory. The technical options depend on your LDAP server used.
> 
> Ciao, Michael.
> 
> 

Right. The only way I can currently think of on the client side to
authenticate against a different LDAP server than the users are retrieved
from would be with auth_provider=proxy that would proxy to pam_ldap (or with
very new SSSD versions that can limit certain PAM services to certain PAM
domains also pam_sss) that would redirect auth to the central LDAP server.
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

[prev in list] [next in list] [prev in thread] [next in thread]