9.2.7. Configuring a Proxy Domain
SSSD currently only supports LDAP and Kerberos as authentication providers. If you prefer to use SSSD (for example, to take advantage of its caching functionality), but SSSD does not support your authentication method, you can set up a proxy authentication provider. This could be the case if you use fingerprint scanners or smart cards as part of your authentication process. Similarly, you can set up proxy to serve as an identity provider.
The following sections cover combinations of identity and authentication providers in which the proxy server takes the role of one.
The following configuration is an example of a combination of a proxy identity provider used with Kerberos authentication:
Edit the /etc/sssd/sssd.conf
configuration file to include the following settings:
[domain/PROXY_KRB5]
auth_provider = krb5
krb5_server = 192.168.1.1
krb5_realm = EXAMPLE.COM
id_provider = proxy
proxy_lib_name = nis
enumerate = true
cache_credentials = true
An example of a combination of an LDAP identity provider and a proxy authentication provider is the use of the LDAP with a custom PAM stack. To enable authentication via the PAM stack, complete the following steps:
Edit the /etc/sssd/sssd.conf
configuration file to include the following settings:
[domain/LDAP_PROXY]
id_provider = ldap
ldap_uri = ldap://example.com
ldap_search_base = dc=example,dc=com
auth_provider = proxy
proxy_pam_target = sssdpamproxy
enumerate = true
cache_credentials = true
By specifying the options above, authentication requests will be proxied via the /etc/pam.d/sssdpamproxy
file which provides the needed module interfaces. Note that the pam_ldap.so
file can be substituted with a PAM module of your choice.
Create a /etc/pam.d/sssdpamproxy
file (if not already created) and specify the following settings in it:
auth required pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
session required pam_ldap.so
An example of a combination of an proxy identity provider and a proxy authentication provider is the use of the proxy identity provider with a custom PAM stack. To enable authentication via the PAM stack, complete the following steps:
In order to use the proxy identity provider, you must have the nss-pam-ldapd package installed.
Edit the /etc/sssd/sssd.conf
configuration file to include the following settings:
[domain/PROXY_PROXY]
auth_provider = proxy
id_provider = proxy
proxy_lib_name = ldap
proxy_pam_target = sssdproxyldap
enumerate = true
cache_credentials = true
By specifying the options above, authentication requests will be proxied via the /etc/pam.d/sssdproxyldap
file which provides the needed module interfaces.
For more information on the options used in the configuration example above, refer to man sssd.conf
Create a /etc/pam.d/sssdproxyldap
file (if not already created) and specify the following settings in it:
auth required pam_ldap.so
account required pam_ldap.so
password required pam_ldap.so
session required pam_ldap.so
Edit the /etc/nslcd.conf
file (the default configuration file for the LDAP name service daemon) to include the following settings:
uid nslcd
gid ldap
uri ldaps://ldap.mydomain.org:636
base dc=mydomain,dc=org
ssl on
tls_cacertdir /etc/openldap/cacerts
For more information on the options used in the configuration example above, refer to man nslcd.conf