Do you have some old CentOS system, CentOS 7 or CentOS 6 and want to enable OpenLDAP authentication? Well, follow through this guide to learn how configure OpenLDAP SSSD client on CentOS 6/7. Well, as you might already know, SSSD offers quite a number of benefits including;
- Reduced load on identity and authentication servers through caching of authentication information.
- Offers offline authentication through the use of cached user identities and credentials thus enabling end users to authenticate to systems even if the remote server or the SSSD client are offline.
- Improves consistency of the authentication process through a single user central user account
Configure OpenLDAP SSSD client on CentOS 6/7
Setup OpenLDAP Server with TLS/SSL Support
Well, you can’t be setting up SSSD client for OpenLDAP authentication without a running OpenLDAP server. Want to run OpenLDAP server on a CentOS 8 system? Follow the link below to setup one;
Install and Setup OpenLDAP on CentOS 8
Another thing to note is that, SSSD does not support authentication over an unencrypted channel.
To configure OpenLDAP server with SSL/TLS support, you can update the OpenLDAP Server TLS certificates attributes as follows;
vi enable-tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt
Replace the paths to the CA, Server Certificate and the key accordingly.
You can the update OpenLDAP database as follows;
ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldifYou can confirm this by running;
slapcat -b "cn=config" | grep olcTLSolcTLSCACertificateFile: /etc/pki/tls/cacert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crtChange the location of the CA certificate on /etc/openldap/ldap.conf.
vim /etc/openldap/ldap.conf...
#TLS_CACERT /etc/pki/tls/cert.pem
TLS_CACERT /etc/pki/tls/cacert.pemYou should also install the same CA certificate on all of your client machines.
Install SSSD on CentOS 6/CentOS 7
The install SSSD and other SSSD userspace tools for manipulating users, groups, and nested groups, run the command below;
yum install sssd sssd-toolsConfigure SSSD for OpenLDAP Authentication
Once the installation completes, the next step is to configure SSSD for OpenLDAP authentication on CentOS 6/CentOS 7.
By default, SSSD doesn’t create a configuration file. As such, you need to create it and define you authentication parameter options.
vim /etc/sssd/sssd.confSetup you SSSD LDAP authentication parameters such that it may look like in below;
[sssd]
services = nss, pam
config_file_version = 2
domains = default
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
Set the appropriate the values, at least, for the following parameters;
ldap_search_baseldap_urildap_default_bind_dnldap_default_authtokldap_tls_cacertldap_access_filter
Download the CA certificate of the OpenLDAP server by running the command below.
true | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 2>/dev/null | openssl x509Copy the certificate and store it on the specified file by the value of the ldap_tls_cacert parameter, /etc/openldap/certs/cacert.pem.
vim /etc/openldap/certs/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIULKGcNBKQU9LqklS27aLVr5NFgoQwDQYJKoZIhvcNAQEL
BQAwHzEdMBsGA1UEAwwUKi5raWZhcnVuaXgtZGVtby5jb20wHhcNMjAwNDEzMTAx
...
sLwoxITLon23PB1Twc6heMFh1hkug3JXbtr5AJglU8JdGNtXM6e3ct+cAf2F/hRR
HGs85jrn634RNXMPWZ8lqChr1QLKlDsOz89tTQ4zvDBqQPweo8de2B/ybTIUJu0o
OUyCrLx8BK44vjEz0jvpOA==
-----END CERTIFICATE-----
Also, on the /etc/openldap/ldap.conf configuration, specify the path to CA certificates as defined by the value of ldap_tls_cacertdir parameter.
vim /etc/openldap/ldap.conf...
TLS_CACERT /etc/openldap/certs/cacert.pemVerify the CA certificate;
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -CAfile /etc/openldap/certs/cacert.pemIf the you get the, Verify return code: 0 (ok) status, then the certificate is fine.
Set the proper ownership and permissions on SSSD configuration file.
chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/Integrate NSS and PAM with SSSD on CentOS 7/CentOS 6
Update the NSS and PAM to use SSSD to manage authentication resources. This can be achieved using the authconfig utility
Configure Automatic Home Directory Creation
Install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.
yum install oddjob-mkhomedirLoad the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-authStart and enable oddjobd to run on system boot.
On CentOS 7;
systemctl enable --now oddjobdOn CentOS 6;
service messagebus start
service oddjobd startchkconfig messagebus on
chkconfig oddjobd onNext, update the NSS and PAM configurations.
authconfig --enablesssd --enablesssdauth --enablemkhomedir --updateThese command updates the /etc/nsswitch.conf and /etc/pam.d/system-auth and /etc/pam.d/password-auth files with relevant PAM modules for SSSD.
Running SSSD on CentOS 6/CentOS 7
The configuration is now done. Start and enable SSSD to run on system boot.
On CentOS 7
systemctl enable --now sssdOn CentOS 6;
service sssd start
chkconfig sssd onCheck the status.
systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2020-04-13 16:31:30 EAT; 3s ago
Main PID: 10472 (sssd)
CGroup: /system.slice/sssd.service
├─10472 /usr/sbin/sssd -i --logger=files
├─10473 /usr/libexec/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
├─10474 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─10475 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Stopped System Security Services Daemon.
Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Starting System Security Services Daemon...
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[10472]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[be[default]][10473]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[nss][10474]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[pam][10475]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Started System Security Services Daemon.
service sssd statussssd (pid 2913) is running…Verify OpenLDAP Authentication via SSSD
In our OpenLDAP server, we have created a few user entries;
ldapsearch -H ldapi:/// -Y EXTERNAL -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" uid -LLL -Qdn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid: janedoe
dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid: johndoeOn either CentOS 7 or CentOS 6, depending on the LDAP filter used, you should now have users on the system. Use id command to verify this.
[root@centos6 ~]# id janedoe
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)[root@centos7 ~]# id johndoe
uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)
[root@centos7 ~]#Verify auto-home directory creation.
[root@centos6 ~]# ssh -l janedoe localhost
janedoe@localhost's password:
Creating home directory for janedoe.
Last login: Mon Apr 13 16:24:36 2020
[janedoe@centos6 ~]$ pwd
/home/janedoe[root@centos7 ~]# ssh -l johndoe localhost
johndoe@localhost's password:
Creating home directory for johndoe.
[johndoe@centos7 ~]$ pwd
/home/johndoeYou have successfully authenticated an OpenLDAP user via SSSD on both CentOS 7 and CentOS 6.
That brings us to the end of our guide on how to install and configure OpenLDAP SSSD client on CentOS 6/7
Related Tutorials
Install and Setup FreeIPA Server on CentOS 8
Setup OpenLDAP Master-Slave Replication on CentOS 8
