Goal:
How to configure LDAP client by using SSSD(System Security Services Daemon) for authentication on CentOS.Env:
CentOS 6.5open-ldap server configured already
Solution:
This article assumes that one open-ldap server is already configured, and its hostname is xxx.example.com.Below steps are done on the LDAP client side:
1. Install Necessary OpenLDAP Packages
yum install openldap openldap-clients
2. Install the sssd and sssd-client packages
yum install sssd sssd-client
3. Modify /etc/openldap/ldap.conf to contain the proper server and search base information for the organization
TLS_CACERTDIR /etc/openldap/cacerts URI ldap://xxx.example.com:389 BASE dc=example,dc=com
4. Modify /etc/nsswitch.conf to use sss
passwd: files sss shadow: files sss group: files sss
5. Configure the LDAP client by using sssd
The sssd configuration is located at /etc/sssd/sssd.conf.Example: (Here domain is set to mapr.com)
[domain/mapr.com] autofs_provider = ldap cache_credentials = False ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://xxx.example.com:389 ldap_id_use_start_tls = False ldap_tls_cacertdir = /etc/openldap/cacerts ldap_schema = rfc2307bis ldap_auth_disable_tls_never_use_in_production = true use_fully_qualified_names = True [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = mapr.com [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5 [autofs]
6. Configure PAM to use sssd
Add "pam_sss.so" related entries into /etc/pam.d/password-auth and /etc/pam.d/system-auth.Example of /etc/pam.d/password-auth is:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.soExample of /etc/pam.d/system-auth is:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
7. Start sssd
chmod 0600 /etc/sssd/sssd.conf /etc/init.d/sssd startTroubleshoot issues by checking /var/log/sssd/sssd.log if needed.
8. Test by looking for one user identified in LDAP server
# id someuser@mapr.com uid=10002(someuser@mapr.com) gid=15000(somegroup@mapr.com)
No comments:
Post a Comment