Goal:
How to configure LDAP client by using SSSD(System Security Services Daemon) for authentication on CentOS.Env:
CentOS 6.5open-ldap server configured already
Solution:
This article assumes that one open-ldap server is already configured, and its hostname is xxx.example.com.Below steps are done on the LDAP client side:
1. Install Necessary OpenLDAP Packages
1 | yum install openldap openldap-clients |
2. Install the sssd and sssd-client packages
1 | yum install sssd sssd-client |
3. Modify /etc/openldap/ldap.conf to contain the proper server and search base information for the organization
1 2 3 | TLS_CACERTDIR /etc/openldap/cacerts URI ldap: //xxx .example.com:389 BASE dc =example, dc =com |
4. Modify /etc/nsswitch.conf to use sss
1 2 3 | passwd : files sss shadow: files sss group: files sss |
5. Configure the LDAP client by using sssd
The sssd configuration is located at /etc/sssd/sssd.conf.Example: (Here domain is set to mapr.com)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 | [domain /mapr .com] autofs_provider = ldap cache_credentials = False ldap_search_base = dc =example, dc =com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap: //xxx .example.com:389 ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_schema = rfc2307bis ldap_auth_disable_tls_never_use_in_production = true use_fully_qualified_names = True [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = mapr.com [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [autofs] |
6. Configure PAM to use sssd
Add "pam_sss.so" related entries into /etc/pam.d/password-auth and /etc/pam.d/system-auth.Example of /etc/pam.d/password-auth is:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type = password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type = password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so |
7. Start sssd
1 2 | chmod 0600 /etc/sssd/sssd .conf /etc/init .d /sssd start |
8. Test by looking for one user identified in LDAP server
1 2 | # id someuser@mapr.com uid=10002(someuser@mapr.com) gid=15000(somegroup@mapr.com) |
No comments:
Post a Comment