Configure SSSD for OpenLDAP authentication on Ubuntu 18.04
In this guide, we will learn how to configure SSSD for OpenLDAP authentication on Ubuntu 18.04. SSD Acronym for System Security Service Daemon. It provides access to local or remote identity and authentication resources through a common framework that can provide caching and offline support for the system. It also provides several interfaces, including NSS and PAM modules or D-Bus interfaces.
Before proceeding, make sure you have a running OpenLDAP server. You can click on the link below to learn how to set up an OpenLDAP server on CentOS 8.
Install and set up OpenLDAP on CentOS 8
Configure SSSD for OpenLDAP authentication on Ubuntu 18.04
In this demo, we will set up SSSD on the Ubuntu 18.04 desktop.
Update your system
apt update
Install SSSD and required packages
Run the following command to install SSSD on Ubuntu 18.04 and other required packages.
apt install sssd libpam-sss libnss-sss
Configure SSSD on Ubuntu 18.04
After the installation is complete, proceed to configure SSSD for OpenLDAP authentication.
Create an SSSD configuration file with the following content (not created by default);
vim /etc/sssd/sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = default [sudo] [nss] [pam] offline_credentials_expiration = 60 [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap ldap_uri = ldap://ldapmaster.kifarunix-demo.com ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com ldap_default_authtok = [email protected] ldap_tls_reqcert = demand ldap_tls_cacert = /etc/ssl/certs/cacert.crt ldap_tls_cacertdir = /etc/ssl/certs ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount)
Replace the value of the highlighted line above based on your OpenLDAP settings.
Read more about configuration options man sssd.conf
.
Save the file and exit.
Install OpenLDAP server CA certificate
To perform authentication, SSSD requires that the communication channel be encrypted. This means that the LDAP server must be configured to run in SSL or TLS with a valid certificate trust.
Install the LDAP server CA certificate under the file defined by the instruction, ldap_tls_cacert
, /etc/ssl/certs/cacert.crt
.
To download the CA certificate from the LDAP server, run the following command;
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'
Copy the certificate part;
-----BEGIN CERTIFICATE----- MIIDzzCCAregAwIBAgIUMJkYu/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL BQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw ... ... J4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq kqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC Qxv7gjfE5jqdD6iQR0cohGLpaA== -----END CERTIFICATE-----
Paste into file /etc/ssl/certs/cacert.crt
.
vim /etc/ssl/certs/cacert.crt
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIUMJkYu/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL
BQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw
...
...
J4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq
kqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC
Qxv7gjfE5jqdD6iQR0cohGLpaA==
-----END CERTIFICATE-----
Next, open /etc/ldap/ldap.conf
And replace the value TLS_CACERT
With the path of the above certificate.
vim /etc/ldap/ldap.conf
... # TLS certificates (needed for GnuTLS) #TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_CACERT /etc/ssl/certs/cacert.crt
Save and close the configuration file.
After that, assign a pair to the root user /etc/sssd/
.
chmod 600 -R /etc/sssd
Restart the SSSD service
systemctl restart sssd
Check the status of the SSSD to make sure it is running.
systemctl status sssd
● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2020-01-17 14:27:51 EAT; 6s ago Main PID: 3033 (sssd) Tasks: 4 (limit: 2315) CGroup: /system.slice/sssd.service ├─3033 /usr/sbin/sssd -i --logger=files ├─3034 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files ├─3035 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --logger=files └─3036 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --logger=files Jan 17 14:27:50 amos systemd[1]: Starting System Security Services Daemon... Jan 17 14:27:51 amos sssd[3033]: Starting up Jan 17 14:27:51 amos sssd[be[3034]: Starting up Jan 17 14:27:51 amos sssd[3036]: Starting up Jan 17 14:27:51 amos sssd[3035]: Starting up Jan 17 14:27:51 amos systemd[1]: Started System Security Services Daemon.
Configure automatic home directory creation
To ensure that the user's home directory is created automatically when logging in for the first time, you need to configure the PAM module (pam_mkhomedir.so
) As follows.
turn on /etc/pam.d/common-session
The configuration file and edits are as follows:
vim /etc/pam.d/common-session
Add the following line below the line, session optional pam_sss.so
.
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
... # The pam_umask module will set the umask according to the system default in # /etc/login.defs and user settings, solving the problem of different # umask settings with different shells, display managers, remote sessions etc. # See "man pam_umask". session optional pam_umask.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_systemd.so # end of pam-auth-update config ...
Save and exit the configuration file.
Verify OpenLDAP authentication via SSH
Now you can verify if you can log in to your Ubuntu 18.04 system as an LDAP user via SSH.
Please note that the users used here have been added to our OpenLDAP server.
ssh [email protected]
[email protected]'s password: Creating directory '/home/johndoe'. Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.18.0-15-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 450 packages can be updated. 223 updates are security updates. Your Hardware Enablement Stack (HWE) is supported until April 2023. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. [email protected]:~$ pwd /home/johndoe
Verify OpenLDAP authentication via GUI
In this demo, we use the default Ubuntu 18.04 GDM display manager.
On the login interface, click "Not Listed" to enter your OpenLDAP username and password.
After successful login, your home directory will be created automatically and you will place it on your desktop.
This is how to configure SSSD for OpenLDAP authentication on Ubuntu 18.04.
You can view other tutorials about OpenLDAP through the following links;
Install phpLDAPadmin on CentOS 8
Configure ownCloud OpenLDAP authentication
Configure OpenLDAP host-based authentication
How to create an OpenLDAP member group
.