Wednesday, 14 May 2014

Setup LDAP authentication on CentOS 6 with SSSD

To install LDAP authentication on CentOS 6 (with SSSD)
yum install sssd
To get the TLS/SSL cert:
cd /etc/sssd
sftp *389 directory server/cert directory*
mget cacert.asc
chown nobody:nobody cacert.asc
Configuring NSS Services to Use SSSD
# authconfig --enablesssd --update

The services map is not enabled by default when SSSD is enabled with authconfig. To include that map, open the nsswitch.conf file and add the sss module to the services map:
# vim /etc/nsswitch.conf
...
services: file sss

To configure the PAM service. Use authconfig to enable SSSD for system authentication.
# authconfig --update --enablesssd --enablesssdauth

Configure sssd.conf:
vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
reconnection_retries = 3
sbus_timeout = 30

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
cache_credentials = false
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://r65-1.local
ldap_search_base = dc=local
ldap_tls_cacert = /etc/sssd/cacert.asc
debug_level = 9
access_provider = ldap
ldap_access_filter = host=r65-2.local
The last 2 sentences are for Host-Based Access Control (eg old config=>pam_check_host_attr), if you are not using this feature, you can omit these.

Restart sssd and the machine can login using LDAP:
chmod 600 /etc/sssd/sssd.conf
service sssd restart
Posted by at
Labels: , ,

4 comments :

  1. 21st Century Software Solutions28 August 2014 at 15:59

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Saqib Ali3 August 2016 at 13:03

    Hello,

    We are working on to configure our Linux servers to use LDAP for Authentication using PAM_LDAP + SSSD. Our LDAP Usernames are based on staff numbers (all numeric starting at 1). This will cause a conflicts with daemon, bin, sys... system accounts. What is the best option for us given our Username pattern?

    Thanks,
    Saqib

    ReplyDelete
  3. ioMeWeekly8 August 2016 at 10:32

    You can try adding a prefix to the number. eg M00001 as the username.

    ReplyDelete
  4. Saqib Ali16 August 2016 at 05:16

    Hello,

    Have you guys run into any challenges with using LDAP account on Linux servers with NFS/GlusterFS mounts? Just curious.

    Saqib

    ReplyDelete

Subscribe to: Post Comments ( Atom )

search iomeweekly