Hi all,
I am standing up a new OpenLDAP directory to serve as an SSSD authn/authz point for an HPC lab environment. This directory should delegate user/password authentication to a second LDAP directory via SASL. Following the directions from the LTB project https://ltb-project.org/documentation/sasl_delegation.html#pass-through-authentication-on-one-ldap-directory, as well as the standard OpenLDAP documentation https://www.openldap.org/doc/admin26/security.html#SASL%20method, I have set up a SASL daemon which I've confirmed works correctly. A few following questions:
Is there anything one needs to do beyond edit /usr/lib/sasl2/slapd.conf to include "mech_list: plain, pwcheck_method: saslauthd, saslauthd_path: /var/run/sasl2/mux lines configure saslauthd.conf to point to the directory server for delegation (already working) edit the userPassword attribute of the user in question to be {SASL}user@domain? It does not seem to be trying to delegate to SASL according to logs. And if I look in ApacheDirectoryStudio, while it looks like {SASL}user@domain there if I do an ldapsearch on the user it shows me a hash. So I'm not sure it's being stored correctly. There are some attributes missing from the default schema if one wants to use LDAP for UNIX/POSIX information. So I included /usr/local/openldap/etc/openldap/schema/nis.schema in order to add things like uidNumber and gidNumber to the schema, which adds posixAccount as a possible object type. But if I try to add a posixAccount user, or include a user's home directory with the homeDirectory attribute, I get "[LDAP result code 17 - undefinedAttributeType] homeDirectory: attribute type undefined." This seems to imply there's something else I need to do to add these attributes to the schema. I tried looking through the schema documentation https://www.openldap.org/doc/admin26/schema.html but none of it seems to apply to "here is how you add all the things that are missing by default." Because I noticed there were items missing from the inetOrgPerson definition (which was how I originally created my first user), I deleted that user, did the include and tried again. Now I cannot create a new user because of this homeDirectory attribute problem.
Thanks in advance!
--
Jarett T. DeAngelis, MS
Scientific Systems Engineer
Email: jarett@bioteam.net mailto:jarett@bioteam.net M: +1.646.417.2165
bioteam.net https://www.bioteam.net/