Show Table of Contents
13.2.20. Creating Domains: Proxy
A proxy with SSSD is just a relay, an intermediary configuration. SSSD connects to its proxy service, and then that proxy loads the specified libraries. This allows SSSD to use some resources that it otherwise would not be able to use. For example, SSSD only supports LDAP and Kerberos as authentication providers, but using a proxy allows SSSD to use alternative authentication methods like a fingerprint scanner or smart card.
Table 13.9. Proxy Domain Configuration Parameters
| Parameter | Description |
|---|---|
| proxy_pam_target | Specifies the target to which PAM must proxy as an authentication provider. The PAM target is a file containing PAM stack information in the default PAM directory, /etc/pam.d/.
This is used to proxy an authentication provider.
Important
Ensure that the proxy PAM stack does not recursively include pam_sss.so.
|
| proxy_lib_name | Specifies which existing NSS library to proxy identity requests through.
This is used to proxy an identity provider.
|
Example 13.10. Proxy Identity and Kerberos Authentication
The proxy library is loaded using the
proxy_lib_name parameter. This library can be anything as long as it is compatible with the given authentication service. For a Kerberos authentication provider, it must be a Kerberos-compatible library, like NIS.
[domain/PROXY_KRB5] auth_provider = krb5 krb5_server = kdc.example.com krb5_realm = EXAMPLE.COM id_provider = proxy proxy_lib_name = nis cache_credentials = true
Example 13.11. LDAP Identity and Proxy Authentication
The proxy library is loaded using the
proxy_pam_target parameter. This library must be a PAM module that is compatible with the given identity provider. For example, this uses a PAM fingerprint module with LDAP:
[domain/LDAP_PROXY] id_provider = ldap ldap_uri = ldap://example.com ldap_search_base = dc=example,dc=com auth_provider = proxy proxy_pam_target = sssdpamproxy cache_credentials = true
After the SSSD domain is configured, make sure that the specified PAM files are configured. In this example, the target is
sssdpamproxy, so create a /etc/pam.d/sssdpamproxy file and load the PAM/LDAP modules:
auth required pam_frprint.so account required pam_frprint.so password required pam_frprint.so session required pam_frprint.so
Example 13.12. Proxy Identity and Authentication
SSSD can have a domain with both identity and authentication proxies. The only configuration given then are the proxy settings,
proxy_pam_target for the authentication PAM module and proxy_lib_name for the service, like NIS or LDAP.
This example illustrates a possible configuration, but this is not a realistic configuration. If LDAP is used for identity and authentication, then both the identity and authentication providers should be set to the LDAP configuration, not a proxy.
[domain/PROXY_PROXY] auth_provider = proxy id_provider = proxy proxy_lib_name = ldap proxy_pam_target = sssdproxyldap cache_credentials = true
Once the SSSD domain is added, then update the system settings to configure the proxy service:
- Create a
/etc/pam.d/sssdproxyldapfile which requires thepam_ldap.somodule:auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session required pam_ldap.so
- Make sure the nss-pam-ldapd package is installed.
~]# yum install nss-pam-ldapd
- Edit the
/etc/nslcd.conffile, the configuration file for the LDAP name service daemon, to contain the information for the LDAP directory:uid nslcd gid ldap uri ldaps://ldap.example.com:636 base dc=example,dc=com ssl on tls_cacertdir /etc/openldap/cacerts
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.