SSSD direct bind

Question

I use openldap with the following structure:

dc=example,dc=org
├── ou=groups
│   ├── cn=wheel
│   └── cn=adm
└── ou=users
    ├── uid=firstname.lastname
    └── uid=firstname.lastname

Every setup of SSSD I found use the setting ldap_search_base. But I have a simple structure and I would prefer to avoid to put an admin password in the config file (or allow anonymous bind...).
Is there a setting similar to this:

ldap_direct_bind = "uid=%(user)s,ou=users,dc=example,dc=org"

Thanks for your help!

score 0 · Answer 1 · answered Oct 05 '22 at 08:27

0

I posted an issue on the project page: https://github.com/SSSD/sssd/issues/6376

answered Oct 05 '22 at 08:27

ange

13
3

score 0 · Accepted Answer · answered Oct 05 '22 at 09:03

You don't need (IMO you shouldn't have) an admin user to be provided as ldap_default_bind, all you need is an account which has read access to the necessary user attributes (defined in RFC 2307).

The problem with your approach is that user enumeration will probably not work, as the users are not guaranteed to have read access to the entire tree. This is a problem with ssh for example, as ssh checks the user's existence before attempting to authenticate.

SSSD direct bind

2 Answers2