In this guide, we are going to demonstrate how to configure SSSD for OpenLDAP Authentication on CentOS 8. In our previous guides, we have covered how to install and setup OpenLDAP on CentOS 8 as well how to configure SUDO via OpenLDAP. See the links below;
Install and Setup OpenLDAP on CentOS 8
How to Configure SUDO via OpenLDAP Server
Configuring SSSD for OpenLDAP Authentication on CentOS 8
SSSD is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.
In this demo, we are using OpenLDAP as our directory as well identity management server.
Run system update
To update your system packages, execute the command below;
dnf updateInstall SSSD on CentOS 8
Once the system update is done, proceed to install SSSD and other SSSD tools.
dnf install sssd sssd-toolsConfiguring SSSD for OpenLDAP Authentication on CentOS 8
Next, configure SSSD to allow authentication to your local system via OpenLDAP.
SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.
vim /etc/sssd/sssd.confPaste the content below into sssd.conf file. Be sure to make the relevant substitutions replacing your domain components appropriately.
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
Save and quit the configuration files. Be sure to make relevant changes accordingly.
Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;
services = nss, pam, sudo
...
[sudo]
...
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
If you are not using OpenLDAP for sudo rules, you can remove these configurations.
Next, download the OpenLDAP server CA certificate and store it on the file specified by the ldap_tls_cacert directive on the sssd.conf file above.
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -textCopy the certificate and paste it on the /etc/pki/tls/cacert.crt.
vim /etc/pki/tls/cacert.crt-----BEGIN CERTIFICATE-----
MIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL
BQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h
...
...
5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E
eixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K/K9qEaIZhJiAES1Qy
8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI/XQNRg==
-----END CERTIFICATE-----Next, open the /etc/openldap/ldap.conf configuration file and configure it as follows;
vim /etc/openldap/ldap.confBasically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.
BASE dc=ldapmaster,dc=kifarunix-demo,dc=com
URI ldaps://ldapmaster.kifarunix-demo.com:636
SUDOERS_BASE ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
...
...
TLS_CACERT /etc/pki/tls/cacert.crt
...Save and quit the configuration file.
Configure Name Service Switch and PAM on CentOS 8
Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.
In previous versions of CentOS, you would use tools like authconfig but this has since been replaced by tools like authselect.
Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.
Configure SSSD Profile
Authselect command when used to create an SSSD profile, will basically modify these files;
- /etc/pam.d/system-auth
- /etc/pam.d/password-auth
- /etc/pam.d/fingerprint-auth
- /etc/pam.d/smartcard-auth
- /etc/pam.d/postlogin
- /etc/nsswitch.conf
Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.
Create an SSSD profile. This command will succeed only of you have removed the files above.
authselect select sssdOtherwise, you can overwrite the files by adding the --force option.
authselect select sssd --forceBackup stored at /var/lib/authselect/backups/2019-12-08-19-05-16.yMO4TA
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.Next, for the system to fetch sudo rights from SSSD/OpenLDAP, edit the /etc/nsswitch.conf to include the line below.
sudoers: files sssYou can simply echo the line into the configuration file as shown below;
echo "sudoers: files sss" >> /etc/nsswitch.confConfigure Automatic Home Directory Creation
To enable automatic home directory creation for user upon first login, you need to install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.
dnf install oddjob-mkhomedirStart and enable oddjobd to run on system boot.
systemctl enable --now oddjobdLoad the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-authRestart oddjobd.
systemctl restart oddjobdRunning SSSD
Before you can start SSSD, you need to check configuration for any typos or permissions;
sssctl config-checkFile ownership and permissions check failed. Expected root:root and 0600.As per the check output, set the read/write access to /etc/sssd/ for the owner (root).
chown -R root: /etc/sssdchmod 600 -R /etc/sssdThe configuration is now done. Start and enable SSSD to run on system boot.
systemctl enable --now sssdCheck the status.
systemctl status sssd
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2019-12-08 16:57:07 EAT; 42min ago
Main PID: 779 (sssd)
Tasks: 3 (limit: 5073)
Memory: 60.6M
CGroup: /system.slice/sssd.service
├─779 /usr/sbin/sssd -i --logger=files
├─800 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
└─801 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
Test OpenLDAP Authentication via SSSD
Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on setting up OpenLDAP server on CentOS 8), verify that you can login.
First, confirm that you can see your LDAP username on your system using id command.
id johndoeYou should get an entry similar to;
uid=1002(johndoe) gid=1002(johndoe) groups=1002(johndoe)If you cant get the above output, be sure to check syslog logs as well as sssd logs. Otherwise, you can restart sssd;
systemctl restart sssdCheck user again using id command.
If all is well, Perform a local ssh authentication to test your LDAP authentication.
ssh -l johndoe localhostThe authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:iMRNJQa8gU0t6fHx6nzmAU+ZygA/3J2BC6zzwzqfY4o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
johndoe@localhost's password:
[johndoe@centos8 ~]$ pwd
/home/johndoeVerify that you got sudo rights.
First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.
export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=comldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
...
# sudo, SUDOers, ldapmaster.kifarunix-demo.com
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
...
Next, on the client, try the sudo!
[johndoe@centos8 ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for johndoe:
Last login: Sun Dec 8 22:49:47 EAT 2019 from 192.168.56.1 on pts/0
[root@centos8 ~]#
If you have any thought about this guide, don’t hesitate to drop in comments section.
Other Related Tutorials
How to Create OpenLDAP Member Groups
Configure SSSD for OpenLDAP Client Authentication on Debian 10/9
Setup OpenLDAP Server with SSL/TLS on Debian 10
Install and Configure OpenLDAP server on Fedora 29
I’ve followed the instructions above, but somehow the authentication does not work (something about passwords ?)
– I have all my users in the openldap server. All authenticate OK on Debian & Ubuntu ldap-based clients
– The same users can be seen on the RH-based machines with ldap clients (in other words: id -a $USER shows results; ldapsearch -h $LDAPHOST etc etc with the UID of the user and his/her password works
… but :
– from the root account, I su – $USER_1, it’s fine, the home dir is created, and I switch to that user
now from USER_1, I do su – $USER_2, the password gets rejected.
– ssh $USER_1@centos_ldap_client will also fail. Whatever the ldap user I try, it fails, but again, wouldn’t fail on Debian/Ubuntu-based boxes
I suspect a password encryption scheme issue, but I’m no good on that regard. Any idea ?
Hi Gratton. Kindly tail (tail -f) LDAP server logs, (slapd.log,may be different in your case), and try to switch to user. You will find out what the issue.
Hi koromicha,
I performed both the ‘Install and Setup OpenLDAP on CentOS 8’ and this current guide ‘Configure SSSD for OpenLDAP Authentication on CentOS 8’. I finally got it going with a little digging, but something is missing: The user ‘John Doe’ never gets created. How is that supposed to happen?
Thank you,
Yvan
Hi Yvan,
When you say user not getting created, you mean by SSSD, when run id command on the ldap client server? (if so, ensure that the client can connect to the LDAP server and restart SSSD service)
Ensure that the users are already created and available on the LDAP database.
Hi koromicha,
The only time we see the ‘johndoe’ user is in your ‘OpenLDAP server install’, with the users.ldif file.
There’s no ‘useradd johndoe’ anywhere, so how can the client get any reply from ‘id johndoe’?
Thank you,
Hi Yvan,
With OpenLDAP, you do not need to add local users to your system in which you want to enable LDAP authentication, hence no users added using useradd command.
You need to add users to the LDAP directory database and then, for each specific system, you can use SSSD to enable specific users to login to that system.
In our setup, the client has been configured to query LDAP database for user information hence, we run id johndoe, to query the details of the user Johndoe from LDAP, but not local system authenticaiton
Hi koromicha,
Ok, so I must have missed something. This is what my sssd status shows:
● sssd.service – System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-01-09 10:45:56 EST; 1 day 2h ago
Main PID: 25575 (sssd)
Tasks: 6 (limit: 11412)
Memory: 51.3M
CGroup: /system.slice/sssd.service
├─25575 /usr/sbin/sssd -i –logger=files
├─25578 /usr/libexec/sssd/sssd_be –domain implicit_files –uid 0 –gid 0 –logger=files
├─25579 /usr/libexec/sssd/sssd_be –domain default –uid 0 –gid 0 –logger=files
├─25580 /usr/libexec/sssd/sssd_nss –uid 0 –gid 0 –logger=files
├─25581 /usr/libexec/sssd/sssd_pam –uid 0 –gid 0 –logger=files
└─25582 /usr/libexec/sssd/sssd_sudo –uid 0 –gid 0 –logger=files
Jan 09 10:45:55 centos8client systemd[1]: Starting System Security Services Daemon…
Jan 09 10:45:55 centos8client sssd[25575]: Starting up
Jan 09 10:45:55 centos8client be[implicit_files][25578]: Starting up
Jan 09 10:45:55 centos8client be[default][25579]: Starting up
Jan 09 10:45:56 centos8client sudo[25582]: Starting up
Jan 09 10:45:56 centos8client nss[25580]: Starting up
Jan 09 10:45:56 centos8client pam[25581]: Starting up
Jan 09 10:45:56 centos8client systemd[1]: Started System Security Services Daemon.
Jan 09 10:49:12 centos8client be[default][25579]: Backend is offline
The following ldapsearch also returns nothing:
ldapsearch -b “$SUDOERS_BASE” -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
Thank you,
Yvan
Hi Yvan,
Did you change the domain (
kifarunix-demo) as per your setup.Hello koromicha,
Thanks for the guide, I’ve gotten my openldap, phpldapadmin and sssd running however my user cannot login to the server i.e. the user created using the users.ldif file.
Please help assist as I’m not sure how I can test connectivity to the ldap server
Hi Bayo, is the uid of the user on LDAP database, do you get any output?
On the system where sssd is running, when you run the command,
idwhereHello Koromicha,
I get output showing that the users are created along with their home directories.
However I just can’t login with the user accounts, could this be because I have configured the pwpolicy?
I can switch user to the account and they return the correct ids
Tho when I search the dn, I get this error;
ldapsearch -b “$SUDOERS_BASE” -D cn=admin,dc=ldapmanager,dc=soft,dc=com -W -x
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN
Not sure what I have missed here although I didn’t use TLS certificate in my own.
My slapd log looks like this
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=4 SRCH base=”dc=ldapmanager,dc=soft,dc=com” scope=2 deref=0 filter=”(&(uid=oadeniyi)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))”
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=4 SRCH attr=objectClass uid userPassword uidNumber gidNumber gecos homeDirectory loginShell krbPrincipalName cn modifyTimestamp modifyTimestamp shadowLastChange shadowMin shadowMax shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange krbPasswordExpiration pwdAttribute authorizedService accountExpires userAccountControl nsAccountLock host rhost loginDisabled loginExpirationTime loginAllowedTimeMap sshPublicKey userCertificate;binary mail
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=5 SRCH base=”dc=ldapmanager,dc=soft,dc=com” scope=2 deref=0 filter=”(&(memberUid=oadeniyi)(objectClass=posixGroup)(cn=*)(&(gidNumber=*)(!(gidNumber=0))))”
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=5 SRCH attr=objectClass cn userPassword gidNumber modifyTimestamp modifyTimestamp
Mar 23 07:05:13 jumpsrv slapd[307290]: <= mdb_equality_candidates: (memberUid) not indexed
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1236 op=5 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 fd=20 ACCEPT from IP=x.x.x.x:33874 (IP=0.0.0.0:389)
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 op=0 do_extended: unsupported operation "1.3.6.1.4.1.1466.20037"
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 op=0 RESULT tag=120 err=2 text=unsupported extended operation
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 op=1 UNBIND
Mar 23 07:05:13 jumpsrv slapd[307290]: conn=1237 fd=20 closed
Mar 23 07:05:14 jumpsrv slapd[307290]: conn=1236 op=6 UNBIND
Mar 23 07:05:14 jumpsrv slapd[307290]: conn=1236 fd=17 closed
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 fd=17 ACCEPT from IP=x.x.x.x:33896 (IP=0.0.0.0:389)
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=1 BIND dn="cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com" method=128
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=1 BIND dn="cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com" mech=SIMPLE ssf=0
Mar 23 07:06:41 jumpsrv slapd[307290]: ppolicy_bind: Setting warning for password expiry for cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com = 0 seconds
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=1 RESULT tag=97 err=0 text=
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=2 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 op=3 UNBIND
Mar 23 07:06:41 jumpsrv slapd[307290]: conn=1238 fd=17 closed
Mar 23 07:06:41 jumpsrv slapd[307290]: connection_read(17): no connection!
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 fd=17 ACCEPT from IP=x.x.x.x:33898 (IP=0.0.0.0:389)
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=0 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=0 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=1 BIND dn="cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com" method=128
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=1 BIND dn="cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com" mech=SIMPLE ssf=0
Mar 23 07:06:42 jumpsrv slapd[307290]: ppolicy_bind: Setting warning for password expiry for cn=readonly,ou=system,dc=ldapmanager,dc=soft,dc=com = 0 seconds
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=1 RESULT tag=97 err=0 text=
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=2 SRCH attr=* altServer namingContexts supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms domainControllerFunctionality defaultNamingContext lastUSN highestCommittedUSN
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=3 SRCH base="ou=SUDOers,dc=ldapmanager,dc=soft,dc=com" scope=2 deref=0 filter="(&(objectClass=sudoRole)(|(&(!(sudoHost=*))(cn=defaults))(sudoHost=ALL)(sudoHost=sapp1.soft.com)(sudoHost=sapp1)(sudoHost=x.x.x.x)(sudoHost=x.x.x.x/24)(sudoHost=x.x.x.x)(sudoHost=x.x.x.x/24)(sudoHost=+*)))"
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=3 SRCH attr=objectClass objectClass cn sudoCommand sudoHost sudoUser sudoOption sudoRunAs sudoRunAsUser sudoRunAsGroup sudoNotBefore sudoNotAfter sudoOrder modifyTimestamp
Mar 23 07:06:42 jumpsrv slapd[307290]: <= mdb_substring_candidates: (sudoHost) not indexed
Mar 23 07:06:42 jumpsrv slapd[307290]: conn=1239 op=3 SEARCH RESULT tag=101 err=0 nentries=2 text=
Seems there is an issue with your DN,
result: 34 Invalid DN syntaxtext: invalid DN
Maybe issue with the
“$SUDOERS_BASE”variable?Hello Koromicha,
I followed this guide on my Centos 8 but I’m not able to get my ldap-server users authenticate on the client (no result with command ‘id johndoe’, and johndoe already exists on my ldap server directory). I guess it has something to do with the sssd service, because when I run “sssctl config-check”, I got the next message:
Issues identified by validators: 1
[rule/allowed_sections]: Section [default] is not allowed. Check for typos.
Messages generated during configuration merging: 0
Used configuration snipped files: 0
My sssd.config is set as follows:
[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default
[sudo]
[nss]
[pam]
offline_credentials_expiration = 60
[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=mydomain,dc=server,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://mydomain.server.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=mydomain,dc=server,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=mydomain,dc=server,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
Thank you in advance.
Hi nonux, I used the same configs and it seems no issue at all.
sssctl config-checkIssues identified by validators: 0Messages generated during configuration merging: 0
Used configuration snippet files: 0
sssd --version1.16.3can you run this command and check the syntax again?
cat > /etc/sssd/sssd.conf << 'EOL' [sssd] services = nss, pam, sudo config_file_version = 2 domains = default [sudo] [nss] [pam] offline_credentials_expiration = 60 [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=mydomain,dc=server,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap sudo_provider = ldap ldap_uri = ldap://mydomain.server.com ldap_default_bind_dn = cn=readonly,ou=system,dc=mydomain,dc=server,dc=com ldap_default_authtok = P@ssWOrd ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/cacert.crt ldap_tls_cacertdir = /etc/pki/tls ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_sudo_search_base = ou=SUDOers,dc=mydomain,dc=server,dc=com ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount) EOLHi,
Thank you for your guides. It’s pretty cool to read such nice things.
I followed this guide and all is working fine but the user’s home rights.
All the user’s homedir are created with 500 rights
dr-x—— 2 olivier wheel 3864 Sep 24 19:05 olivier
Do you have any idea of what is wrong ?
Thanks
Olivier
Hi Thanks Olivier.
What is the umask value for this line (session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022)