Nikita-zeroBit
commented
1 year ago
Open Nikita-zeroBit opened 1 year ago
Nikita-zeroBit
commented
1 year ago
abbra
commented
1 year ago This is not supported. I'm on vacation for next couple weeks and cannot dive into details, sorry. Please remind me closer to end of July....
Nikita-zeroBit
commented
1 year ago Thank you for quick reply. Have a nice vacation!
abbra
commented
1 year ago Users from a trusted domain will only be able to auth to LDAP if they map onto an ID override with their name in the 'Default trust view'. Basically, there is a mapping rule for SASL authorization in LDAP server configuration that maps an incoming (authenticated) Kerberos principal from SASL to an LDAP object (ID override). If that matches, LDAP bind will be mapped to this LDAP object and access to LDAP server will be granted with permissions available to that ID override. This works for any 'normal' principal from a trusted domain as long as you are able to define it in ID overrides, even without any actual overrides.
See https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html for some details. For IPA-IPA trust this would rely on the fact that you have a trust object visible to ipa trust-find command and that SSSD on IPA server is able to resolve this principal. That is not currently possible for IPA-IPA trust as I haven't completed this work in my branch yet and there are few things to be fixed first at SSSD side too.
There is a FreeIPA root domain (test.lan) and 2 child domains (subtest.test.lan, subtest2.test.lan). Trust has been set up between domains between Kerberos domains:
but the connection via LDAP SASL GSSAPI does not occur and the error "SASL(-14): authorization failure: " appears