Monday, November 13, 2017

How to configure LDAP client by using SSSD for authentication on CentOS

Goal:

How to configure LDAP client by using SSSD(System Security Services Daemon) for authentication on CentOS.

Env:

CentOS 6.5
open-ldap server configured already

Solution:

This article assumes that one open-ldap server is already configured, and its hostname is xxx.example.com.
Below steps are done on the LDAP client side:

1. Install Necessary OpenLDAP Packages

yum install openldap  openldap-clients

2. Install the sssd and sssd-client packages

yum install sssd sssd-client

3. Modify /etc/openldap/ldap.conf to contain the proper server and search base information for the organization

TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://xxx.example.com:389
BASE dc=example,dc=com

4. Modify /etc/nsswitch.conf to use sss

passwd:     files sss
shadow:     files sss
group:      files sss

5. Configure the LDAP client by using sssd

The sssd configuration is located at /etc/sssd/sssd.conf.
Example: (Here domain is set to mapr.com)
[domain/mapr.com]

autofs_provider = ldap
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://xxx.example.com:389
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_auth_disable_tls_never_use_in_production = true
use_fully_qualified_names = True

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = mapr.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[autofs]

6.  Configure PAM to use sssd

Add "pam_sss.so" related entries into /etc/pam.d/password-auth and /etc/pam.d/system-auth.
Example of /etc/pam.d/password-auth is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
Example of /etc/pam.d/system-auth is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

 7. Start sssd

chmod 0600 /etc/sssd/sssd.conf
/etc/init.d/sssd start
Troubleshoot issues by checking /var/log/sssd/sssd.log if needed.

8. Test by looking for one user identified in LDAP server

# id someuser@mapr.com
uid=10002(someuser@mapr.com) gid=15000(somegroup@mapr.com)


No comments:

Post a Comment

Popular Posts