Configure SSSD for OpenLDAP Authentication on CentOS 8

0
560

In this guide, we are going to demonstrate how to configure SSSD for OpenLDAP Authentication on CentOS 8. In our previous guides, we have covered how to install and setup OpenLDAP on CentOS 8 as well how to configure SUDO via OpenLDAP. See the links below;

Install and Setup OpenLDAP on CentOS 8

How to Configure SUDO via OpenLDAP Server

Configure SSSD for OpenLDAP Authentication on CentOS 8

SSSD is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.

In this demo, we are using OpenLDAP as our directory as well identity management server.

Run system update

To update your system packages, execute the command below;

dnf update

Install SSSD on CentOS 8

Once the system update is done, proceed to install SSSD and other SSSD tools.

dnf install sssd sssd-tools

Configure SSSD for OpenLDAP Authentication

Next, configure SSSD to allow authentication to your local system via OpenLDAP.

SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.

vim /etc/sssd/sssd.conf

Paste the content below into sssd.conf file. Be sure to make the relevant substitutions replacing your domain components appropriately.

[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldaps://ldapmaster.kifarunix-demo.com:636
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = [email protected]
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Save and quit the configuration files. Be sure to make relevant changes accordingly.

Note that we have also configured our OpenLDAP server to provide sudo rights to some specific users. Therefore the line below tells SSSD to fetch sudo rules from specific OpenLDAP search base.

ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com

If you are not using OpenLDAP for sudo rules, you can remove this line.

Next, download the OpenLDAP server CA certificate and store it on the file specified by the ldap_tls_cacert directive on the sssd.conf file above.

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text

Copy the certificate and paste it on the /etc/pki/tls/cacert.crt.

vim /etc/pki/tls/cacert.crt
-----BEGIN CERTIFICATE-----
MIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL
BQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h
...
...
5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E
eixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K/K9qEaIZhJiAES1Qy
8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI/XQNRg==
-----END CERTIFICATE-----

Next, open the /etc/openldap/ldap.conf configuration file and configure it as follows;

vim /etc/openldap/ldap.conf

Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.

BASE    dc=ldapmaster,dc=kifarunix-demo,dc=com
URI     ldaps://ldapmaster.kifarunix-demo.com:636
SUDOERS_BASE    ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
...
...
TLS_CACERT      /etc/pki/tls/cacert.crt
...

Save and quit the configuration file.

Configure Name Service Switch and PAM on CentOS 8

Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.

In previous versions of CentOS, you would use tools like authconfig but this has since been replaced by tools like authselect.

Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.

Configure SSSD Profile

Authselect command when used to create an SSSD profile, will basically modify these files;

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth
  • /etc/pam.d/fingerprint-auth
  • /etc/pam.d/smartcard-auth
  • /etc/pam.d/postlogin
  • /etc/nsswitch.conf

Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.

Create an SSSD profile. This command will succeed only of you have removed the files above.

authselect select sssd

Otherwise, you can overwrite the files by adding the --force option.

authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2019-12-08-19-05-16.yMO4TA
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

Next, for the system to fetch sudo rights from SSSD/OpenLDAP, edit the /etc/nsswitch.conf to include the line below.

sudoers:    files sss

You can simply echo the line into the configuration file as shown below;

echo "sudoers:    files sss" >> /etc/nsswitch.conf

Configure Automatic Home Directory Creation

To enable automatic home directory creation for user upon first login, you need to install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.

dnf install oddjob-mkhomedir

Start and enable dnf install oddjobd to run on system boot.

systemctl enable --now oddjobd

Load the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

Restart oddjobd.

systemctl restart oddjobd

After all that, set the read/write access to /etc/sssd/ for the owner (root).

chmod 600 -R /etc/sssd

Running SSSD

The configuration is now done. Start and enable SSSD to run on system boot.

systemctl enable --now sssd

Check the status.

systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Sun 2019-12-08 16:57:07 EAT; 42min ago
 Main PID: 779 (sssd)
    Tasks: 3 (limit: 5073)
   Memory: 60.6M
   CGroup: /system.slice/sssd.service
           ├─779 /usr/sbin/sssd -i --logger=files
           ├─800 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
           └─801 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

Test OpenLDAP Authentication via SSSD

Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on setting up OpenLDAP server on CentOS 8), verify that you can login.

Perform a local ssh authentication

ssh -l johndoe localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:iMRNJQa8gU0t6fHx6nzmAU+ZygA/3J2BC6zzwzqfY4o.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
[email protected]'s password: 
[[email protected] ~]$ pwd
/home/johndoe

Verify that you got sudo rights.

First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.

export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
...
# sudo, SUDOers, ldapmaster.kifarunix-demo.com
dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
objectClass: top
objectClass: sudoRole
cn: sudo
sudoUser: johndoe
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
...
[[email protected] ~]$ sudo su -
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for johndoe: 
Last login: Sun Dec  8 22:49:47 EAT 2019 from 192.168.56.1 on pts/0
[[email protected] ~]#

Well, there you go. You have successfully learnt how to configure SSSD for OpenLDAP Authentication on CentOS 8. If you have any thought about this guide, don’t hesitate to drop in comments section.

Other Related Tutorials

How to Create OpenLDAP Member Groups

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

LEAVE A REPLY

Please enter your comment!
Please enter your name here