I am standing up a new OpenLDAP directory to serve as an SSSD authn/authz point for an HPC lab environment. This directory should delegate user/password authentication to a second LDAP directory via SASL. Following the directions from the LTB project, as well as the standard OpenLDAP documentation, I have set up a SASL daemon which I've confirmed works correctly. A few following questions:
- Is there anything one needs to do beyond
- edit /usr/lib/sasl2/slapd.conf to include "mech_list: plain, pwcheck_method: saslauthd, saslauthd_path: /var/run/sasl2/mux lines
- configure saslauthd.conf to point to the directory server for delegation (already working)
- edit the userPassword attribute of the user in question to be {SASL}user@domain?
It does not seem to be trying to delegate to SASL according to logs. And if I look in ApacheDirectoryStudio, while it looks like {SASL}user@domain there if I do an ldapsearch on the user it shows me a hash. So I'm not sure it's being stored correctly. - There are some attributes missing from the default schema if one wants to use LDAP for UNIX/POSIX information. So I included /usr/local/openldap/etc/openldap/schema/nis.schema in order to add things like uidNumber and gidNumber to the schema, which adds posixAccount as a possible object type. But if I try to add a posixAccount user, or include a user's home directory with the homeDirectory attribute, I get "[LDAP result code 17 - undefinedAttributeType] homeDirectory: attribute type undefined." This seems to imply there's something else I need to do to add these attributes to the schema. I tried looking through the schema documentation but none of it seems to apply to "here is how you add all the things that are missing by default." Because I noticed there were items missing from the inetOrgPerson definition (which was how I originally created my first user), I deleted that user, did the include and tried again. Now I cannot create a new user because of this homeDirectory attribute problem.
Thanks in advance!
--
