SSSD - start LDAP-search with logging-in user

Situation today: we've got a functional sssd-config on multiple Ubuntu-clients. This config contains authenticating against a LDAP-server. The SASL-Mech is as "gssapi" specified and uses a krb5-keytab-file. Bombastic feauture: the specified user of the keytab-file expires every 90 days. Not that bad, but replacing the keytab-file on the clients will take a long time and additional is more risky.

Situation tomorrow will be: if possible we'd like to use the credentials used to log in, because the LDAP isn't anonymous-readable and every domain user will have read access. Actually, I don't have an idea to put the active login-credentials to sssd to check authentication against LDAP. Any assistance would be appreciated!

Before asking to not expire this user: we're in some complex network, which is not administrated by ourself and we're only allowed to use those users.


You can use ldap_default_bind_dn together with ldap_default_authtok_type=password and then put the login credentials into ldap_default_authtok.