Configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9

In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 12/11/10/9. SSSD is an acronym for System Security Services Daemon and it is used to provides access to different identity and authentication providers.

Why SSSD?

• Support for multiple authentication mechanisms: SSSD allows a local service to check with a local cache in SSSD that can be taken from any remote identity providers such as OpenLDAP directory.
• Improved performance: SSSD also caches users and credentials, such that if the local system or the identity provider goes offline, the user credentials are still available to services to verify. This can also reduce the load on the identity server. 
• Increased Security: SSSD works only over an encrypted channel, which is a plus when it comes to LDAP user account security.
• Scalability and Flexibility: OpenLDAP, combined with SSSD, offers scalability and flexibility for growing environments. You can easily add or remove user accounts, manage user attributes, and adjust access permissions across multiple systems simultaneously, without the need to configure each system individually.

Hence, to proceed with this guide, you need to have configured OpenLDAP over SSL/TLS.

Check our guides on how to install setup OpenLDAP server with SSL/TLS.

Configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9

Configure OpenLDAP Server BIND DN for Read Access

Create OpenLDAP ReadOnly BIND DN

Before you can configure SSSD for OpenLDAP client authentication, you need to create a read only user on our LDAP server to which we can bind authenticating users.

Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client’s privileges.

If you don’t already have Read BIND DN set on your OpenLDAP server, then proceed to run the commands below the OpenLDAP server.

Create the read only user attributes LDIF file. In this case, we created the BIND user called readonly.

Replace the domains names accordingly.

cat > ldap-readonly-user.ldif << 'EOL'
dn: cn=readonly,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
EOL

Next, add the readonly user to slapd database.

ldapadd -H ldapi:/// -f ldap-readonly-user.ldif \
-D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -x

Set the password for the readonly user created above.

ldappasswd -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" \
-W -S cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com

Create OpenLDAP Access Control Lists

Similarly, if you don't already have ACLs in place, create the Access control list for the read-only user BIND DN created above. We are simply going to modify the existing OpenLDAP default ACLs.

cat > readonly-user_access.ldif << 'EOL'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none
EOL

The readonly user created is allowed to view the attributes on base DN, ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com.

To confirm the ACLs, run the command below

ldapsearch -Q -LLL -Y EXTERNAL \
-H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
 ,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,d
 c=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth b
 y * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,d
 c=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=
 com" read by self write by anonymous auth by * none

Configure SSSD for OpenLDAP Client Authentication

The next commands are run on the OpenLDAP Client.

Run System Update

Update system package cache;

apt update

Install SSSD and Required Packages

Run the command below to install SSSD on Debian 12/11/10/9 and other required packages.

apt install sssd libpam-sss libnss-sss sssd-tools libsss-sudo

Once the installation is done, proceed to configure SSSD for OpenLDAP client authentication.

Create SSSD Configuration File On LDAP Client

Create the SSSD configuration file under the /etc/sssd directory with the content below.

Replace the domain names accordingly.

Ensure that the OpenLDAP server is reachable by hostname as defined in the SSSD configuration file.

Replace the BIND password accordingly as well.

cat > /etc/sssd/sssd.conf << 'EOF'
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]
override_shell = /bin/bash

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = BIND_PASS
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/openldap/certs/cacert.pem
ldap_tls_cacertdir = /etc/ssl/openldap/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
access_provider = simple
ldap_access_filter = memberUid=uid=johndoe,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
EOF

If you don't have a DNS server, you can update the hosts file. For example

echo "192.168.56.103 ldapmaster.kifarunix-demo.com ldapmaster" >> /etc/hosts

Next, copy the OpenLDAP server CA certificate to OpenLDAP client. See the directory specified by ldap_tls_cacertdir option. If you have a direct root access to the OpenLDAP server, simply copy it as follows.

Ensure the OpenLDAP certs directory exists. If not, create it.

[[ -d /etc/ssl/openldap/certs ]] || mkdir -p /etc/ssl/openldap/certs

Next, copy the CA certificate from OpenLDAP server to the client.

You can simply download the CA cert form LDAP server. Replace the address accordingly.

openssl s_client -connect ldapmaster.kifarunix-demo.com:389 \
-showcerts -starttls ldap </dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/ssl/openldap/certs/cacert.pem

Open the /etc/ldap/ldap.conf and set the location of the CA certificate file copied from the OpenLDAP server.

vim /etc/ldap/ldap.conf

Replace the value of the TLS_CACERT to the directory in which the OpenLDAP server CA cert copied above is stored on the OpenLDAP client.

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/openldap/certs/cacert.pem

After that, set the read/write access to /etc/sssd/ for the owner (root).

chmod 600 -R /etc/sssd

Restart SSSD service

systemctl restart sssd

Check the status of SSSD to ensure that it is running.

systemctl status sssd

● sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-07-07 20:39:33 CEST; 2s ago
   Main PID: 4316 (sssd)
      Tasks: 4 (limit: 2284)
     Memory: 44.4M
        CPU: 162ms
     CGroup: /system.slice/sssd.service
             ├─4316 /usr/sbin/sssd -i --logger=files
             ├─4317 /usr/libexec/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
             ├─4318 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─4319 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Jul 07 20:39:33 bookworm systemd[1]: Starting sssd.service - System Security Services Daemon...
Jul 07 20:39:33 bookworm sssd[4316]: Starting up
Jul 07 20:39:33 bookworm sssd_be[4317]: Starting up
Jul 07 20:39:33 bookworm sssd_pam[4319]: Starting up
Jul 07 20:39:33 bookworm sssd_nss[4318]: Starting up
Jul 07 20:39:33 bookworm systemd[1]: Started sssd.service - System Security Services Daemon.

Configure Automatic Home Creation for OpenLDAP Users

Next configure Pluggable Authentication Module (PAM) to automatically create user's home directory on first login.

This can be done by editing the /etc/pam.d/common-session configuration file as follows;

vim /etc/pam.d/common-session

Add the line below just after the line, session optional pam_sss.so.

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022

...
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so 
session optional pam_sss.so 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_systemd.so 
# end of pam-auth-update config

Save and quit the configuration.

Verify OpenLDAP Authentication using SSSD

Verify that the user is created using the id command. You should get the user and group id of the user.

id johndoe

uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)

You can now login as the LDAP user, mibeyam in this case.

root@bookworm:~# su - johndoe
Creating directory '/home/johndoe'.
johndoe@bookworm:~$

johndoe@bookworm:~$ whoami
johndoe
johndoe@bookworm:~$ pwd
/home/johndoe
johndoe@bookworm:~$ 

To that far, you have learnt how to configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9.

Related Tutorials

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7