Configure SSSD for OpenLDAP authentication on Ubuntu 18.04

In this guide, we will learn how to configure SSSD for OpenLDAP authentication on Ubuntu 18.04. SSD Acronym for System Security Service Daemon. It provides access to local or remote identity and authentication resources through a common framework that can provide caching and offline support for the system. It also provides several interfaces, including NSS and PAM modules or D-Bus interfaces.

Before proceeding, make sure you have a running OpenLDAP server. You can click on the link below to learn how to set up an OpenLDAP server on CentOS 8.

Install and set up OpenLDAP on CentOS 8

Configure SSSD for OpenLDAP authentication on Ubuntu 18.04

In this demo, we will set up SSSD on the Ubuntu 18.04 desktop.

Update your system

apt update

Install SSSD and required packages

Run the following command to install SSSD on Ubuntu 18.04 and other required packages.

apt install sssd libpam-sss libnss-sss

Configure SSSD on Ubuntu 18.04

After the installation is complete, proceed to configure SSSD for OpenLDAP authentication.

Create an SSSD configuration file with the following content (not created by default);

vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = [email protected]
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/cacert.crt
ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Replace the value of the highlighted line above based on your OpenLDAP settings.

Read more about configuration options man sssd.conf.

Save the file and exit.

Install OpenLDAP server CA certificate

To perform authentication, SSSD requires that the communication channel be encrypted. This means that the LDAP server must be configured to run in SSL or TLS with a valid certificate trust.

Install the LDAP server CA certificate under the file defined by the instruction, ldap_tls_cacert, /etc/ssl/certs/cacert.crt.

To download the CA certificate from the LDAP server, run the following command;

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

Copy the certificate part;

-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUMJkYu/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw
...
...
J4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq
kqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC
Qxv7gjfE5jqdD6iQR0cohGLpaA==
-----END CERTIFICATE-----

Paste into file /etc/ssl/certs/cacert.crt.

vim /etc/ssl/certs/cacert.crt
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUMJkYu/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw
...
...
J4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq
kqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC
Qxv7gjfE5jqdD6iQR0cohGLpaA==
-----END CERTIFICATE-----

Next, open /etc/ldap/ldap.conf And replace the value TLS_CACERT With the path of the above certificate.

vim /etc/ldap/ldap.conf
...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/certs/cacert.crt

Save and close the configuration file.

After that, assign a pair to the root user /etc/sssd/.

chmod 600 -R /etc/sssd

Restart the SSSD service

systemctl restart sssd

Check the status of the SSSD to make sure it is running.

systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2020-01-17 14:27:51 EAT; 6s ago
 Main PID: 3033 (sssd)
    Tasks: 4 (limit: 2315)
   CGroup: /system.slice/sssd.service
           ├─3033 /usr/sbin/sssd -i --logger=files
           ├─3034 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
           ├─3035 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─3036 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Jan 17 14:27:50 amos systemd[1]: Starting System Security Services Daemon...
Jan 17 14:27:51 amos sssd[3033]: Starting up
Jan 17 14:27:51 amos sssd[be[3034]: Starting up
Jan 17 14:27:51 amos sssd[3036]: Starting up
Jan 17 14:27:51 amos sssd[3035]: Starting up
Jan 17 14:27:51 amos systemd[1]: Started System Security Services Daemon.

Configure automatic home directory creation

To ensure that the user's home directory is created automatically when logging in for the first time, you need to configure the PAM module (pam_mkhomedir.so) As follows.

turn on /etc/pam.d/common-session The configuration file and edits are as follows:

vim /etc/pam.d/common-session

Add the following line below the line, session optional pam_sss.so.

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
...
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional                        pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required        pam_unix.so
session optional                        pam_sss.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional        pam_systemd.so
# end of pam-auth-update config
...

Save and exit the configuration file.

Verify OpenLDAP authentication via SSH

Now you can verify if you can log in to your Ubuntu 18.04 system as an LDAP user via SSH.

Please note that the users used here have been added to our OpenLDAP server.

ssh [email protected]
[email protected]'s password: 
Creating directory '/home/johndoe'.
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


450 packages can be updated.
223 updates are security updates.

Your Hardware Enablement Stack (HWE) is supported until April 2023.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

[email protected]:~$ pwd
/home/johndoe

Verify OpenLDAP authentication via GUI

In this demo, we use the default Ubuntu 18.04 GDM display manager.

On the login interface, click "Not Listed" to enter your OpenLDAP username and password.

After successful login, your home directory will be created automatically and you will place it on your desktop.

Configure SSSD for OpenLDAP authentication on Ubuntu 18.04

This is how to configure SSSD for OpenLDAP authentication on Ubuntu 18.04.

You can view other tutorials about OpenLDAP through the following links;

Install phpLDAPadmin on CentOS 8

Configure ownCloud OpenLDAP authentication

Configure OpenLDAP host-based authentication

How to create an OpenLDAP member group

.

Sidebar