30.4.4. Configuring a Proxy Domain
Table 30.7. Proxy Domain Configuration Parameters
Parameter | Description |
---|---|
proxy_pam_target | Specifies the target to which PAM must proxy as an authentication provider. The PAM target is a file containing PAM stack information in the default PAM directory, /etc/pam.d/ .
This is used to proxy an authentication provider.
Important
Ensure that the proxy PAM stack does not recursively include pam_sss.so .
|
proxy_lib_name | Specifies which existing NSS library to proxy identity requests through.
This is used to proxy an identity provider.
|
Example 30.4. Proxy Identity and Kerberos Authentication
proxy_lib_name
parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = 192.168.1.1 krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis enumerate = true cache_credentials = true
Example 30.5. LDAP Identity and Proxy Authentication
proxy_pam_target
parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy enumerate = true cache_credentials = true
sssdpamproxy
, so create a /etc/pam.d/sssdpamproxy
file and load the PAM/LDAP modules:
auth required pam_frprint.so account required pam_frprint.so password required pam_frprint.so session required pam_frprint.so
Example 30.6. Proxy Identity and Authentication
proxy_pam_target
for the authentication PAM module and proxy_lib_name
for the service, like NIS or LDAP.
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap enumerate = true cache_credentials = true
- Create an
/etc/pam.d/sssdproxyldap
file which requires thepam_ldap.so
module:auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
- Make sure the
nss-pam-ldap
package is installed.[root@server ~]# yum install nss-pam-ldap
- Edit the
/etc/nslcd.conf
file, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:uid nslcd gid ldap uri ldaps://ldap.example.com:636 base dc=example,dc=com ssl on tls_cacertdir /etc/openldap/cacerts