Connecting a subdomain via LDAP to another subdomain #98
Comments
|
|
|
This is not supported. I'm on vacation for next couple weeks and cannot dive into details, sorry. Please remind me closer to end of July.... |
|
Thank you for quick reply. Have a nice vacation! |
|
Users from a trusted domain will only be able to auth to LDAP if they map onto an ID override with their name in the 'Default trust view'. Basically, there is a mapping rule for SASL authorization in LDAP server configuration that maps an incoming (authenticated) Kerberos principal from SASL to an LDAP object (ID override). If that matches, LDAP bind will be mapped to this LDAP object and access to LDAP server will be granted with permissions available to that ID override. This works for any 'normal' principal from a trusted domain as long as you are able to define it in ID overrides, even without any actual overrides. See https://freeipa.readthedocs.io/en/latest/designs/adtrust/admin-ipa-as-trusted-user.html for some details. For IPA-IPA trust this would rely on the fact that you have a trust object visible to |
There is a FreeIPA root domain (test.lan) and 2 child domains (subtest.test.lan, subtest2.test.lan). Trust has been set up between domains between Kerberos domains:
but the connection via LDAP SASL GSSAPI does not occur and the error "SASL(-14): authorization failure: " appears
3. Do I need any additional actions to be able to perform bind LDAP SASL GSSAPI?
Maybe I need to do SASL mapping?
I set up a trust relationship according to the instructions https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/using_trusts
The text was updated successfully, but these errors were encountered: