9.2.7. Configuring a Proxy Domain

SSSD currently only supports LDAP and Kerberos as authentication providers. If you prefer to use SSSD (for example, to take advantage of its caching functionality), but SSSD does not support your authentication method, you can set up a proxy authentication provider. This could be the case if you use fingerprint scanners or smart cards as part of your authentication process. Similarly, you can set up proxy to serve as an identity provider.

The following sections cover combinations of identity and authentication providers in which the proxy server takes the role of one.

9.2.7.1. proxy/KRB5

The following configuration is an example of a combination of a proxy identity provider used with Kerberos authentication:

Edit the /etc/sssd/sssd.conf configuration file to include the following settings:

[domain/PROXY_KRB5]
auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM

id_provider = proxy
proxy_lib_name = nis
enumerate = true
cache_credentials = true

For more information on various Kerberos configuration options, refer to Section 9.2.6, “Setting Up Kerberos Authentication”.

9.2.7.2. LDAP/proxy

An example of a combination of an LDAP identity provider and a proxy authentication provider is the use of the LDAP with a custom PAM stack. To enable authentication via the PAM stack, complete the following steps:

Edit the /etc/sssd/sssd.conf configuration file to include the following settings:
```
[domain/LDAP_PROXY]
id_provider = ldap
ldap_uri = ldap://example.com
ldap_search_base = dc=example,dc=com

auth_provider = proxy
proxy_pam_target = sssdpamproxy
enumerate = true
cache_credentials = true
```
By specifying the options above, authentication requests will be proxied via the /etc/pam.d/sssdpamproxy file which provides the needed module interfaces. Note that the pam_ldap.so file can be substituted with a PAM module of your choice.
For more information on various LDAP configuration options, refer to Section 9.2.5.2, “Configuring an LDAP Domain”.

Create a /etc/pam.d/sssdpamproxy file (if not already created) and specify the following settings in it:

auth          required      pam_ldap.so
account       required      pam_ldap.so
password      required      pam_ldap.so
session       required      pam_ldap.so

9.2.7.3. proxy/proxy

An example of a combination of an proxy identity provider and a proxy authentication provider is the use of the proxy identity provider with a custom PAM stack. To enable authentication via the PAM stack, complete the following steps:

Make sure the nss-pam-ldapd package is installed

In order to use the proxy identity provider, you must have the nss-pam-ldapd package installed.

Edit the /etc/sssd/sssd.conf configuration file to include the following settings:
```
[domain/PROXY_PROXY]
auth_provider = proxy
id_provider = proxy
proxy_lib_name = ldap
proxy_pam_target = sssdproxyldap
enumerate = true 
cache_credentials = true
```
By specifying the options above, authentication requests will be proxied via the /etc/pam.d/sssdproxyldap file which provides the needed module interfaces.
For more information on the options used in the configuration example above, refer to man sssd.conf

Create a /etc/pam.d/sssdproxyldap file (if not already created) and specify the following settings in it:

auth          required      pam_ldap.so
account       required      pam_ldap.so
password      required      pam_ldap.so
session       required      pam_ldap.so

Edit the /etc/nslcd.conf file (the default configuration file for the LDAP name service daemon) to include the following settings:
```
uid nslcd
gid ldap
uri ldaps://ldap.mydomain.org:636
base dc=mydomain,dc=org
ssl on
tls_cacertdir /etc/openldap/cacerts
```
For more information on the options used in the configuration example above, refer to man nslcd.conf