In this guide, we are going to demonstrate how to configure SSSD for OpenLDAP Authentication on CentOS 8. In our previous guides, we have covered how to install and setup OpenLDAP on CentOS 8 as well how to configure SUDO via OpenLDAP. See the links below;
Configure SSSD for OpenLDAP Authentication on CentOS 8
SSSD is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.
In this demo, we are using OpenLDAP as our directory as well identity management server.
Run system update
To update your system packages, execute the command below;
Install SSSD on CentOS 8
Once the system update is done, proceed to install SSSD and other SSSD tools.
dnf install sssd sssd-tools
Configure SSSD for OpenLDAP Authentication on CentOS 8
Next, configure SSSD to allow authentication to your local system via OpenLDAP.
SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.
Paste the content below into sssd.conf file. Be sure to make the relevant substitutions replacing your domain components appropriately.
[sssd] services = nss, pam, sudo config_file_version = 2 domains = default [sudo] [nss] [pam] offline_credentials_expiration = 60 [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = ldap sudo_provider = ldap ldap_uri = ldap://ldapmaster.kifarunix-demo.com ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com ldap_default_authtok = [email protected] ldap_tls_reqcert = demand ldap_tls_cacert = /etc/pki/tls/cacert.crt ldap_tls_cacertdir = /etc/pki/tls ldap_search_timeout = 50 ldap_network_timeout = 60 ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com ldap_access_order = filter ldap_access_filter = (objectClass=posixAccount)
Save and quit the configuration files. Be sure to make relevant changes accordingly.
Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;
services = nss, pam, sudo ... [sudo] ... ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
If you are not using OpenLDAP for sudo rules, you can remove these configurations.
Next, download the OpenLDAP server CA certificate and store it on the file specified by the
ldap_tls_cacert directive on the sssd.conf file above.
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text
Copy the certificate and paste it on the
-----BEGIN CERTIFICATE----- MIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL BQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h ... ... 5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E eixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K/K9qEaIZhJiAES1Qy 8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI/XQNRg== -----END CERTIFICATE-----
Next, open the
/etc/openldap/ldap.conf configuration file and configure it as follows;
Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.
BASE dc=ldapmaster,dc=kifarunix-demo,dc=com URI ldaps://ldapmaster.kifarunix-demo.com:636 SUDOERS_BASE ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com ... ... TLS_CACERT /etc/pki/tls/cacert.crt ...
Save and quit the configuration file.
Configure Name Service Switch and PAM on CentOS 8
Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.
In previous versions of CentOS, you would use tools like
authconfig but this has since been replaced by tools like
Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.
Configure SSSD Profile
Authselect command when used to create an SSSD profile, will basically modify these files;
Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.
Create an SSSD profile. This command will succeed only of you have removed the files above.
authselect select sssd
Otherwise, you can overwrite the files by adding the
authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2019-12-08-19-05-16.yMO4TA Profile "sssd" was selected. The following nsswitch maps are overwritten by the profile: - passwd - group - netgroup - automount - services Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
Next, for the system to fetch sudo rights from SSSD/OpenLDAP, edit the
/etc/nsswitch.conf to include the line below.
sudoers: files sss
You can simply echo the line into the configuration file as shown below;
echo "sudoers: files sss" >> /etc/nsswitch.conf
Configure Automatic Home Directory Creation
To enable automatic home directory creation for user upon first login, you need to install the
oddjob-mkhomedir, which provides the
pam_oddjob_mkhomedir module to create a home directory for a user at login-time.
dnf install oddjob-mkhomedir
Start and enable oddjobd to run on system boot.
systemctl enable --now oddjobd
pam_oddjob_mkhomedir module in PAM auth file
/etc/pam.d/system-auth to enable auto home directory creation.
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
systemctl restart oddjobd
Before you can start SSSD, you need to check configuration for any typos or permissions;
File ownership and permissions check failed. Expected root:root and 0600.
As per the check output, set the read/write access to
/etc/sssd/ for the owner (root).
chown -R root: /etc/sssd
chmod 600 -R /etc/sssd
The configuration is now done. Start and enable SSSD to run on system boot.
systemctl enable --now sssd
Check the status.
systemctl status sssd
● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2019-12-08 16:57:07 EAT; 42min ago Main PID: 779 (sssd) Tasks: 3 (limit: 5073) Memory: 60.6M CGroup: /system.slice/sssd.service ├─779 /usr/sbin/sssd -i --logger=files ├─800 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files └─801 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
Test OpenLDAP Authentication via SSSD
Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on setting up OpenLDAP server on CentOS 8), verify that you can login.
First, confirm that you can see your LDAP username on your system using
You should get an entry similar to;
uid=1002(johndoe) gid=1002(johndoe) groups=1002(johndoe)
If you cant get the above output, be sure to check syslog logs as well as sssd logs. Otherwise, you can restart sssd;
systemctl restart sssd
Check user again using
If all is well, Perform a local ssh authentication to test your LDAP authentication.
ssh -l johndoe localhost
The authenticity of host 'localhost (::1)' can't be established. ECDSA key fingerprint is SHA256:iMRNJQa8gU0t6fHx6nzmAU+ZygA/3J2BC6zzwzqfY4o. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. [email protected]'s password: [[email protected] ~]$ pwd /home/johndoe
Verify that you got sudo rights.
First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.
ldapsearch -b "$SUDOERS_BASE" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x
... # sudo, SUDOers, ldapmaster.kifarunix-demo.com dn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com objectClass: top objectClass: sudoRole cn: sudo sudoUser: johndoe sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL ...
Next, on the client, try the sudo!
[[email protected] ~]$ sudo su -
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for johndoe: Last login: Sun Dec 8 22:49:47 EAT 2019 from 192.168.56.1 on pts/0 [[email protected] ~]#
Well, there you go. You have successfully learnt how to configure SSSD for OpenLDAP Authentication on CentOS 8. If you have any thought about this guide, don’t hesitate to drop in comments section.