Configure SSSD for OpenLDAP Authentication on CentOS 8


In this guide, we are going to demonstrate how to configure SSSD for OpenLDAP Authentication on CentOS 8. In our previous guides, we have covered how to install and setup OpenLDAP on CentOS 8 as well how to configure SUDO via OpenLDAP. See the links below;

Install and Setup OpenLDAP on CentOS 8

How to Configure SUDO via OpenLDAP Server

Configure SSSD for OpenLDAP Authentication on CentOS 8

SSSD is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.

In this demo, we are using OpenLDAP as our directory as well identity management server.

Run system update

To update your system packages, execute the command below;

dnf update

Install SSSD on CentOS 8

Once the system update is done, proceed to install SSSD and other SSSD tools.

dnf install sssd sssd-tools

Configure SSSD for OpenLDAP Authentication on CentOS 8

Next, configure SSSD to allow authentication to your local system via OpenLDAP.

SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.

vim /etc/sssd/sssd.conf

Paste the content below into sssd.conf file. Be sure to make the relevant substitutions replacing your domain components appropriately.

services = nss, pam, sudo
config_file_version = 2
domains = default



offline_credentials_expiration = 60

ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = [email protected]
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Save and quit the configuration files. Be sure to make relevant changes accordingly.

Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;

services = nss, pam, sudo


ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com

If you are not using OpenLDAP for sudo rules, you can remove these configurations.

Next, download the OpenLDAP server CA certificate and store it on the file specified by the ldap_tls_cacert directive on the sssd.conf file above.

openssl s_client -connect -showcerts < /dev/null | openssl x509 -text

Copy the certificate and paste it on the /etc/pki/tls/cacert.crt.

vim /etc/pki/tls/cacert.crt

Next, open the /etc/openldap/ldap.conf configuration file and configure it as follows;

vim /etc/openldap/ldap.conf

Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.

BASE    dc=ldapmaster,dc=kifarunix-demo,dc=com
URI     ldaps://
SUDOERS_BASE    ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
TLS_CACERT      /etc/pki/tls/cacert.crt

Save and quit the configuration file.

Configure Name Service Switch and PAM on CentOS 8

Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.

In previous versions of CentOS, you would use tools like authconfig but this has since been replaced by tools like authselect.

Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.

Configure SSSD Profile

Authselect command when used to create an SSSD profile, will basically modify these files;

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth
  • /etc/pam.d/fingerprint-auth
  • /etc/pam.d/smartcard-auth
  • /etc/pam.d/postlogin
  • /etc/nsswitch.conf

Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.

Create an SSSD profile. This command will succeed only of you have removed the files above.

authselect select sssd

Otherwise, you can overwrite the files by adding the --force option.

authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2019-12-08-19-05-16.yMO4TA
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Next, for the system to fetch sudo rights from SSSD/OpenLDAP, edit the /etc/nsswitch.conf to include the line below.

sudoers:    files sss

You can simply echo the line into the configuration file as shown below;

echo "sudoers:    files sss" >> /etc/nsswitch.conf

Configure Automatic Home Directory Creation

To enable automatic home directory creation for user upon first login, you need to install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.

dnf install oddjob-mkhomedir

Start and enable oddjobd to run on system boot.

systemctl enable --now oddjobd

Load the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.

echo "session optional skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

Restart oddjobd.

systemctl restart oddjobd

Running SSSD

Before you can start SSSD, you need to check configuration for any typos or permissions;

sssctl config-check
File ownership and permissions check failed. Expected root:root and 0600.

As per the check output, set the read/write access to /etc/sssd/ for the owner (root).

chown -R root: /etc/sssd
chmod 600 -R /etc/sssd

The configuration is now done. Start and enable SSSD to run on system boot.

systemctl enable --now sssd

Check the status.

systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-12-08 16:57:07 EAT; 42min ago
 Main PID: 779 (sssd)
    Tasks: 3 (limit: 5073)
   Memory: 60.6M
   CGroup: /system.slice/sssd.service
           ├─779 /usr/sbin/sssd -i --logger=files
           ├─800 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
           └─801 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

Test OpenLDAP Authentication via SSSD

Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on setting up OpenLDAP server on CentOS 8), verify that you can login.

First, confirm that you can see your LDAP username on your system using id command.

id johndoe

You should get an entry similar to;

uid=1002(johndoe) gid=1002(johndoe) groups=1002(johndoe)

If you cant get the above output, be sure to check syslog logs as well as sssd logs. Otherwise, you can restart sssd;

systemctl restart sssd

Check user again using id command.

If all is well, Perform a local ssh authentication to test your LDAP authentication.

ssh -l johndoe localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:iMRNJQa8gU0t6fHx6nzmAU+ZygA/3J2BC6zzwzqfY4o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
[[email protected] ~]$ pwd

Verify that you got sudo rights.

First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.

export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
# sudo, SUDOers,
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

Next, on the client, try the sudo!

[[email protected] ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for johndoe: 
Last login: Sun Dec  8 22:49:47 EAT 2019 from on pts/0
[[email protected] ~]#

Well, there you go. You have successfully learnt how to configure SSSD for OpenLDAP Authentication on CentOS 8. If you have any thought about this guide, don’t hesitate to drop in comments section.

Other Related Tutorials

How to Create OpenLDAP Member Groups

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch


  1. I’ve followed the instructions above, but somehow the authentication does not work (something about passwords ?)
    – I have all my users in the openldap server. All authenticate OK on Debian & Ubuntu ldap-based clients
    – The same users can be seen on the RH-based machines with ldap clients (in other words: id -a $USER shows results; ldapsearch -h $LDAPHOST etc etc with the UID of the user and his/her password works

    … but :
    – from the root account, I su – $USER_1, it’s fine, the home dir is created, and I switch to that user
    now from USER_1, I do su – $USER_2, the password gets rejected.
    – ssh [email protected]_ldap_client will also fail. Whatever the ldap user I try, it fails, but again, wouldn’t fail on Debian/Ubuntu-based boxes

    I suspect a password encryption scheme issue, but I’m no good on that regard. Any idea ?

    • Hi Gratton. Kindly tail (tail -f) LDAP server logs, (slapd.log,may be different in your case), and try to switch to user. You will find out what the issue.

  2. Hi koromicha,

    I performed both the ‘Install and Setup OpenLDAP on CentOS 8’ and this current guide ‘Configure SSSD for OpenLDAP Authentication on CentOS 8’. I finally got it going with a little digging, but something is missing: The user ‘John Doe’ never gets created. How is that supposed to happen?

    Thank you,


    • Hi Yvan,

      When you say user not getting created, you mean by SSSD, when run id command on the ldap client server? (if so, ensure that the client can connect to the LDAP server and restart SSSD service)
      Ensure that the users are already created and available on the LDAP database.

  3. Hi koromicha,

    The only time we see the ‘johndoe’ user is in your ‘OpenLDAP server install’, with the users.ldif file.
    There’s no ‘useradd johndoe’ anywhere, so how can the client get any reply from ‘id johndoe’?

    Thank you,

    • Hi Yvan,

      With OpenLDAP, you do not need to add local users to your system in which you want to enable LDAP authentication, hence no users added using useradd command.
      You need to add users to the LDAP directory database and then, for each specific system, you can use SSSD to enable specific users to login to that system.
      In our setup, the client has been configured to query LDAP database for user information hence, we run id johndoe, to query the details of the user Johndoe from LDAP, but not local system authenticaiton

  4. Hi koromicha,

    Ok, so I must have missed something. This is what my sssd status shows:
    ● sssd.service – System Security Services Daemon
    Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
    Active: active (running) since Sat 2021-01-09 10:45:56 EST; 1 day 2h ago
    Main PID: 25575 (sssd)
    Tasks: 6 (limit: 11412)
    Memory: 51.3M
    CGroup: /system.slice/sssd.service
    ├─25575 /usr/sbin/sssd -i –logger=files
    ├─25578 /usr/libexec/sssd/sssd_be –domain implicit_files –uid 0 –gid 0 –logger=files
    ├─25579 /usr/libexec/sssd/sssd_be –domain default –uid 0 –gid 0 –logger=files
    ├─25580 /usr/libexec/sssd/sssd_nss –uid 0 –gid 0 –logger=files
    ├─25581 /usr/libexec/sssd/sssd_pam –uid 0 –gid 0 –logger=files
    └─25582 /usr/libexec/sssd/sssd_sudo –uid 0 –gid 0 –logger=files

    Jan 09 10:45:55 centos8client systemd[1]: Starting System Security Services Daemon…
    Jan 09 10:45:55 centos8client sssd[25575]: Starting up
    Jan 09 10:45:55 centos8client be[implicit_files][25578]: Starting up
    Jan 09 10:45:55 centos8client be[default][25579]: Starting up
    Jan 09 10:45:56 centos8client sudo[25582]: Starting up
    Jan 09 10:45:56 centos8client nss[25580]: Starting up
    Jan 09 10:45:56 centos8client pam[25581]: Starting up
    Jan 09 10:45:56 centos8client systemd[1]: Started System Security Services Daemon.
    Jan 09 10:49:12 centos8client be[default][25579]: Backend is offline

    The following ldapsearch also returns nothing:
    ldapsearch -b “$SUDOERS_BASE” -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x

    Thank you,



Please enter your comment!
Please enter your name here