diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2011-03-29 02:46:25 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-25 08:06:34 -0400 |
commit | e81a816cddab4a62f263d1a0274d5d3f101e8e0f (patch) | |
tree | de3d6baa2ac2d39c4d50d1ce5a911e435dc0e3a9 /src/config | |
parent | d03617ab9106c14b46ab3dc85d5c8ced393da533 (diff) | |
download | sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.gz sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.tar.bz2 sssd-e81a816cddab4a62f263d1a0274d5d3f101e8e0f.zip |
Modify principal selection for keytab authentication
Currently we construct the principal as host/fqdn@REALM. The problem
with this is that this principal doesn't have to be in the keytab. In
that case the provider fails to start. It is better to scan the keytab
and find the most suitable principal to use. Only in case no suitable
principal is found the backend should fail to start.
The second issue solved by this patch is that the realm we are
authenticating the machine to can be in general different from the realm
our users are part of (in case of cross Kerberos trust).
The patch adds new configuration option SDAP_SASL_REALM.
https://fedorahosted.org/sssd/ticket/781
Diffstat (limited to 'src/config')
-rw-r--r-- | src/config/SSSDConfig.py | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py index c3d9ed40..02f76af2 100644 --- a/src/config/SSSDConfig.py +++ b/src/config/SSSDConfig.py @@ -133,6 +133,7 @@ option_strings = { 'ldap_tls_reqcert' : _('Require TLS certificate verification'), 'ldap_sasl_mech' : _('Specify the sasl mechanism to use'), 'ldap_sasl_authid' : _('Specify the sasl authorization id to use'), + 'ldap_sasl_realm' : _('Specify the sasl authorization realm to use'), 'ldap_krb5_keytab' : _('Kerberos service keytab'), 'ldap_krb5_init_creds' : _('Use Kerberos auth for LDAP connection'), 'ldap_referrals' : _('Follow LDAP referrals'), |