Configure OpenLDAP SSSD client on CentOS 6/7

0
1015

Do you have some old CentOS system, CentOS 7 or CentOS 6 and want to enable OpenLDAP authentication? Well, follow through this guide to learn how configure OpenLDAP SSSD client on CentOS 6/7. Well, as you might already know, SSSD offers quite a number of benefits including;

  • Reduced load on identity and authentication servers through caching of authentication information.
  • Offers offline authentication through the use of cached user identities and credentials thus enabling end users to authenticate to systems even if the remote server or the SSSD client are offline.
  • Improves consistency of the authentication process through a single user central user account

Configure OpenLDAP SSSD client on CentOS 6/7

Setup OpenLDAP Server with TLS/SSL Support

Well, you can’t be setting up SSSD client for OpenLDAP authentication without a running OpenLDAP server. Want to run OpenLDAP server on a CentOS 8 system? Follow the link below to setup one;

Install and Setup OpenLDAP on CentOS 8

Another thing to note is that, SSSD does not support authentication over an unencrypted channel.

To configure OpenLDAP server with SSL/TLS support, you can update the OpenLDAP Server TLS certificates attributes as follows;

vi enable-tls.ldif
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/pki/tls/cacert.pem
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Replace the paths to the CA, Server Certificate and the key accordingly.

You can the update OpenLDAP database as follows;

ldapadd -Y EXTERNAL -H ldapi:/// -f add-tls.ldif

You can confirm this by running;

slapcat -b "cn=config" | grep olcTLS
olcTLSCACertificateFile: /etc/pki/tls/cacert.pem
olcTLSCertificateKeyFile: /etc/pki/tls/ldapserver.key
olcTLSCertificateFile: /etc/pki/tls/ldapserver.crt

Change the location of the CA certificate on /etc/openldap/ldap.conf.

vim /etc/openldap/ldap.conf
...
#TLS_CACERT     /etc/pki/tls/cert.pem
TLS_CACERT     /etc/pki/tls/cacert.pem

You should also install the same CA certificate on all of your client machines.

Install SSSD on CentOS 6/CentOS 7

The install SSSD and other SSSD userspace tools for manipulating users, groups, and nested groups, run the command below;

yum install sssd sssd-tools

Configure SSSD for OpenLDAP Authentication

Once the installation completes, the next step is to configure SSSD for OpenLDAP authentication on CentOS 6/CentOS 7.

By default, SSSD doesn’t create a configuration file. As such, you need to create it and define you authentication parameter options.

vim /etc/sssd/sssd.conf

Setup you SSSD LDAP authentication parameters such that it may look like in below;

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = [email protected]
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/cacert.pem
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Set the appropriate the values, at least, for the following parameters;

  • ldap_search_base
  • ldap_uri
  • ldap_default_bind_dn
  • ldap_default_authtok
  • ldap_tls_cacert
  • ldap_access_filter

Download the CA certificate of the OpenLDAP server by running the command below.

true | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 2>/dev/null | openssl x509

Copy the certificate and store it on the specified file by the value of the ldap_tls_cacert parameter, /etc/openldap/certs/cacert.pem.

vim /etc/openldap/certs/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDPDCCAiSgAwIBAgIULKGcNBKQU9LqklS27aLVr5NFgoQwDQYJKoZIhvcNAQEL
BQAwHzEdMBsGA1UEAwwUKi5raWZhcnVuaXgtZGVtby5jb20wHhcNMjAwNDEzMTAx
...
sLwoxITLon23PB1Twc6heMFh1hkug3JXbtr5AJglU8JdGNtXM6e3ct+cAf2F/hRR
HGs85jrn634RNXMPWZ8lqChr1QLKlDsOz89tTQ4zvDBqQPweo8de2B/ybTIUJu0o
OUyCrLx8BK44vjEz0jvpOA==
-----END CERTIFICATE-----

Also, on the /etc/openldap/ldap.conf configuration, specify the path to CA certificates as defined by the value of ldap_tls_cacertdir parameter.

vim /etc/openldap/ldap.conf
...
TLS_CACERT /etc/openldap/certs/cacert.pem

Verify the CA certificate;

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -CAfile /etc/openldap/certs/cacert.pem

If the you get the, Verify return code: 0 (ok) status, then the certificate is fine.

Set the proper ownership and permissions on SSSD configuration file.

chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/

Integrate NSS and PAM with SSSD on CentOS 7/CentOS 6

Update the NSS and PAM to use SSSD to manage authentication resources. This can be achieved using the authconfig utility

Configure Automatic Home Directory Creation

Install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.

yum install oddjob-mkhomedir

Load the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

Start and enable oddjobd to run on system boot.

On CentOS 7;

systemctl enable --now oddjobd

On CentOS 6;

service messagebus start
service oddjobd start
chkconfig messagebus on
chkconfig oddjobd on

Next, update the NSS and PAM configurations.

authconfig --enablesssd --enablesssdauth --enablemkhomedir --update

These command updates the /etc/nsswitch.conf and /etc/pam.d/system-auth and /etc/pam.d/password-auth files with relevant PAM modules for SSSD.

Running SSSD on CentOS 6/CentOS 7

The configuration is now done. Start and enable SSSD to run on system boot.

On CentOS 7

systemctl enable --now sssd

On CentOS 6;

service sssd start
chkconfig sssd on

Check the status.

systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-04-13 16:31:30 EAT; 3s ago
 Main PID: 10472 (sssd)
   CGroup: /system.slice/sssd.service
           ├─10472 /usr/sbin/sssd -i --logger=files
           ├─10473 /usr/libexec/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
           ├─10474 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
           └─10475 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Stopped System Security Services Daemon.
Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Starting System Security Services Daemon...
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[10472]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[be[default]][10473]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[nss][10474]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com sssd[pam][10475]: Starting up
Apr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Started System Security Services Daemon.
service sssd status
sssd (pid 2913) is running…

Verify OpenLDAP Authentication via SSSD

In our OpenLDAP server, we have created a few user entries;

ldapsearch -H ldapi:/// -Y EXTERNAL -b "ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com" uid -LLL -Q
dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com

dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid: janedoe

dn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
uid: johndoe

On either CentOS 7 or CentOS 6, depending on the LDAP filter used, you should now have users on the system. Use id command to verify this.

[[email protected] ~]# id janedoe
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)
[[email protected] ~]# id johndoe
uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)
[[email protected] ~]#

Verify auto-home directory creation.

[[email protected] ~]# ssh -l janedoe localhost
[email protected]'s password:
Creating home directory for janedoe.
Last login: Mon Apr 13 16:24:36 2020
[[email protected] ~]$ pwd
/home/janedoe
[[email protected] ~]# ssh -l johndoe localhost
[email protected]'s password:
Creating home directory for johndoe.
[[email protected] ~]$ pwd
/home/johndoe

You have successfully authenticated an OpenLDAP user via SSSD on both CentOS 7 and CentOS 6.

That brings us to the end of our guide on how to install and configure OpenLDAP SSSD client on CentOS 6/7

Related Tutorials

Install and Setup FreeIPA Server on CentOS 8

Setup OpenLDAP Master-Slave Replication on CentOS 8

Install phpLDAPadmin on CentOS 8

Setup OpenLDAP Server with SSL/TLS on Debian 10

LEAVE A REPLY

Please enter your comment!
Please enter your name here