Configure SSSD for LDAP Authentication on Rocky Linux 8

|
Last Updated:
|
|

In this guide, we are going to demonstrate how to configure SSSD for LDAP Authentication on Rocky Linux 8. In our previous guides, we have covered how to install and setup OpenLDAP on Rocky Linux 8 as well how to configure SUDO via OpenLDAP. See the links below;

Install and Setup OpenLDAP on Rocky Linux 8

How to Configure SUDO via OpenLDAP Server

Configuring SSSD for LDAP Authentication

SSSD is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.

In this demo, we are using OpenLDAP as our directory as well identity management server.

Run system update

To update your system packages, execute the command below;

dnf update

Install SSSD on Rocky Linux 8

Once the system update is done, proceed to install SSSD and other SSSD tools.

dnf install sssd sssd-tools

Configure LDAP Authentication via SSSD

Next, configure SSSD to allow authentication to your local system via OpenLDAP.

SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.

Paste the content below into sssd.conf file.

Be sure to make the relevant substitutions replacing your domain components as well as the BIND DN password appropriately.


cat > /etc/sssd/sssd.conf << 'EOL'
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
EOL

Save and quit the configuration files. Be sure to make relevant changes accordingly.

Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;

services = nss, pam, sudo
...

[sudo]
...

ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com

If you are not using OpenLDAP for sudo rules, you can remove these configurations.

Next, download the OpenLDAP server CA certificate and store it on the file specified by the ldap_tls_cacert directive on the sssd.conf file above.

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text

Copy the certificate and paste it on the /etc/pki/tls/cacert.crt.

vim /etc/pki/tls/cacert.crt
-----BEGIN CERTIFICATE-----
MIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL
BQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h
...
...
5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E
eixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K/K9qEaIZhJiAES1Qy
8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI/XQNRg==
-----END CERTIFICATE-----

Next, open the /etc/openldap/ldap.conf configuration file and configure it as follows;

vim /etc/openldap/ldap.conf

Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.

BASE    dc=ldapmaster,dc=kifarunix-demo,dc=com
URI     ldaps://ldapmaster.kifarunix-demo.com:636
SUDOERS_BASE    ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
...
...
TLS_CACERT      /etc/pki/tls/cacert.crt
...

Save and quit the configuration file.

Configure Name Service Switch and PAM on Rocky Linux 8

Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.

In previous versions of CentOS, you would use tools like authconfig but this has since been replaced by tools like authselect.

Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.

Configure SSSD Profile

Authselect command when used to create an SSSD profile, will basically modify these files;

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth
  • /etc/pam.d/fingerprint-auth
  • /etc/pam.d/smartcard-auth
  • /etc/pam.d/postlogin
  • /etc/nsswitch.conf

Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.

Create an SSSD profile. This command will succeed only of you have removed the files above.

authselect select sssd

Otherwise, you can overwrite the files by adding the --force option.

authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2021-06-19-09-55-01.BaMqgB
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Next, for the system to fetch sudo rights from SSSD/OpenLDAP, edit the /etc/nsswitch.conf to include the line below.

sudoers:    files sss

You can simply echo the line into the configuration file as shown below;

echo "sudoers:    files sss" >> /etc/nsswitch.conf

Configure Automatic Home Directory Creation

To enable automatic home directory creation for user upon first login, you need to install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.

dnf install oddjob-mkhomedir

Start and enable oddjobd to run on system boot.

systemctl enable --now oddjobd

Load the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

Restart oddjobd.

systemctl restart oddjobd

Running SSSD

Before you can start SSSD, you need to check configuration for any typos or permissions;

sssctl config-check
File ownership and permissions check failed. Expected root:root and 0600.

As per the check output, set the read/write access to /etc/sssd/ for the owner (root).

chown -R root: /etc/sssd
chmod 600 -R /etc/sssd

The configuration is now done. Start and enable SSSD to run on system boot.

systemctl enable --now sssd

Check the status.

systemctl status sssd

● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2021-06-19 05:43:33 EDT; 13min ago
 Main PID: 892 (sssd)
    Tasks: 3 (limit: 11256)
   Memory: 12.0M
   CGroup: /system.slice/sssd.service
           ├─892 /usr/sbin/sssd -i --logger=files
           ├─941 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
           └─946 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

Jun 19 05:43:17 localhost.localdomain systemd[1]: Starting System Security Services Daemon...
Jun 19 05:43:28 localhost.localdomain sssd[sssd][892]: Starting up
Jun 19 05:43:29 localhost.localdomain sssd[be[implicit_files]][941]: Starting up
Jun 19 05:43:32 localhost.localdomain sssd[nss][946]: Starting up
Jun 19 05:43:33 localhost.localdomain systemd[1]: Started System Security Services Daemon.

Test OpenLDAP Authentication via SSSD

Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on creating OpenLDAP Users and Groups), verify that you can login.

First, confirm that you can see your LDAP username on your system using id command.

id johndoe

You should get an entry similar to below. Note that username and UID and GUID may vary depending on your OpenLDAP settings;

uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)

If you cant get the above output, be sure to check OpenLDAP syslog logs (slapd.log, as per our setup guide) as well as sssd logs.

Otherwise, you can restart sssd;

systemctl restart sssd

Check user again using id command.

If all is well, Perform a local ssh authentication to test your LDAP authentication.

ssh -l johndoe localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:WuslT7dUhvAkOndw1DZEgJ46bzVUbzewVU9RYcWmPg8.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
johndoe@localhost's password: ENTER USER's LDAP Password

Verify that you got sudo rights.

First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.

export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
...
# sudo, SUDOers, ldapmaster.kifarunix-demo.com
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
...

Next, on the LDAP client with SSSD running already, try to list the user's sudo rights.

[johndoe@localhost ~]$ sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for johndoe: 
Sorry, user johndoe may not run sudo on localhost.

Well, if you get the error, Sorry, user johndoe may not run sudo on localhost., then exit as standard user and restart SSSD;

Once you restart SSSD, check the sudo rights again;

sudo -l

[sudo] password for johndoe: 
Matching Defaults entries for johndoe on localhost:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL
    PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, !visiblepw, always_set_home,
    match_group_by_gid, always_query_group_plugin, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG
    LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=SSH_AUTH_SOCK, secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User johndoe may run the following commands on localhost:
    (ALL) ALL

If you have any thought about this guide, don’t hesitate to drop in comments section.

Other tutorials;

Configure SSSD for OpenLDAP Authentication on CentOS 8

How to Create OpenLDAP Member Groups

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
gen_too
Co-founder of Kifarunix.com, Linux Tips and Tutorials. Linux/Unix admin and author at Kifarunix.com.

Leave a Comment