In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 10/9. SSSD is an acronym for System Security Services Daemon and it is used to provides access to different identity and authentication providers.
SSSD allows a local service to check with a local cache in SSSD that can be taken from any remote identity providers such as OpenLDAP directory.
SSSD also caches users and credentials, such that if the local system or the identity provider goes offline, the user credentials are still available to services to verify.
Note that sssd does not support authentication over an unencrypted channel.
Hence, to proceed with this guide, you need to have configured OpenLDAP over SSL/TLS. Follow the link below;
Setup OpenLDAP Server with SSL/TLS on Debian 10
Configure SSSD for OpenLDAP Client Authentication on Debian 10/9
Run System Update
apt update
Install SSSD and Required Packages
Run the command below to install SSSD on Debian 10/Debian 9 and other required packages.
apt install sssd libpam-sss libnss-sss
Configure SSSD for OpenLDAP Authentication
Once the installation is done, proceed to configure SSSD for OpenLDAP authentication.
Create OpenLDAP Bind DN for Read Access
Before we can configure SSSD, we are going to create a read only user on our LDAP server to which we can bind authenticating users.
Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client’s privileges.
The commands below are run on our OpenLDAP server.
Create OpenLDAP Server ReadOnly Bind User
Create the read only user attributes LDIF file. In this case, we created the user called readonly
.
vim ldap-readonly-user.ldif
dn: cn=readonly,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole
Next, add the readonly user to slapd database.
ldapadd -H ldapi:/// -f ldap-readonly-user.ldif -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -x
Set the password for the readonly
user created above.
ldappasswd -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -S cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
Create OpenLDAP Access Control Lists
Create the Access control list for the read-only user created above. We are simply going to modify the existing OpenLDAP default acls.
vim readonly-user_access.ldif
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth by * none
The readonly
user created is allowed to view the attributes on base DN, ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
.
To confirm the ACLs, run the command below
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People ,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,d c=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth b y * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,d c=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc= com" read by self write by anonymous auth by * none
The next commands are run on the OpenLDAP Client.
Create SSSD Configuration File On LDAP Client
Create the SSSD configuration file under the /etc/sssd
directory with the content below;
vim /etc/sssd/sssd.conf
[sssd] services = nss, pam config_file_version = 2 domains = default [nss] override_shell = /bin/bash [pam] offline_credentials_expiration = 60 [domain/default] ldap_id_use_start_tls = True cache_credentials = True ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldapmaster.kifarunix-demo.com ldap_default_bind_dn = cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com ldap_default_authtok = hacker ldap_tls_reqcert = never ldap_tls_cacert = /etc/ssl/openldap/certs/cacert.pem ldap_tls_cacertdir = /etc/ssl/openldap/certs ldap_search_timeout = 50 ldap_network_timeout = 60 access_provider = simple ldap_access_filter = memberUid=uid=mibeyam,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
Ensure that the OpenLDAP server is reachable by hostname as defined in the SSSD configuration file. If you don’t have a DNS server, you can update the hosts file as shown below;
echo "192.168.56.105 ldapmaster.kifarunix-demo.com ldapmaster" >> /etc/hosts
Next, copy the OpenLDAP server CA certificate to OpenLDAP client. See the directory specified by ldap_tls_cacertdir
option. If you have a direct root access to the OpenLDAP server, simply copy it as follows.
Ensure the OpenLDAP certs directory exists. If not, create it.
[[ -d /etc/ssl/openldap/certs ]] || mkdir -p /etc/ssl/openldap/certs
Next, copy the CA certificate from OpenLDAP server
scp [email protected]:/etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/
Open the /etc/ldap/ldap.conf
and set the location of the CA certificate file copied from the OpenLDAP server.
vim /etc/ldap/ldap.conf
Replace the value of the TLS_CACERT to the directory in which the OpenLDAP server CA cert copied above is stored on the OpenLDAP client.
... # TLS certificates (needed for GnuTLS) #TLS_CACERT /etc/ssl/certs/ca-certificates.crt TLS_CACERT /etc/ssl/openldap/certs/cacert.pem
After that, set the read/write access to /etc/sssd/
for the owner (root).
chmod 600 -R /etc/sssd
Restart SSSD service
systemctl restart sssd
Check the status of SSSD to ensure that it is running.
systemctl status sssd
● sssd.service - System Security Services Daemon Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-09-18 15:19:55 EDT; 5s ago Main PID: 10843 (sssd) Tasks: 4 (limit: 4915) CGroup: /system.slice/sssd.service ├─10843 /usr/sbin/sssd -i -f ├─10844 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --debug-to-files ├─10845 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files └─10846 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files Sep 18 15:19:54 debian systemd[1]: Starting System Security Services Daemon... Sep 18 15:19:54 debian sssd[10843]: Starting up Sep 18 15:19:55 debian sssd[be[10844]: Starting up Sep 18 15:19:55 debian sssd[10845]: Starting up Sep 18 15:19:55 debian sssd[10846]: Starting up Sep 18 15:19:55 debian systemd[1]: Started System Security Services Daemon.
Verify that the user is created using the id
command. You should get the user and group id of the user.
id mibeyam
uid=10000(mibeyam) gid=10000(mibeyam) groups=10000(mibeyam)
Next configure Pluggable Authentication Module (PAM) to automatically create user’s home directory on first login.
This can be done by editing the /etc/pam.d/common-session
configuration file as follows;
vim /etc/pam.d/common-session
Add the line below just after the line, session optional pam_sss.so
.
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
... # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session optional pam_systemd.so # end of pam-auth-update config
Save and quit the configuration.
You can now login as the LDAP user, mibeyam
in this case.
[email protected]:~# su - mibeyam
Creating directory '/home/mibeyam'.
[email protected]:~$
[email protected]:~$ whoami
mibeyam
[email protected]:~$ pwd
/home/mibeyam
[email protected]:~$
To that far, you have learnt how to configure SSSD for OpenLDAP Client Authentication on Debian 10/9.
Related Tutorials
Install and Configure OpenLDAP server on Fedora 29
Configure OpenLDAP Client on Debian 9 Stretch
Install and Configure OpenLDAP Server on Debian 9 Stretch
How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7
Hi, thanks for this nice article. For future readers it is missing a few details tho, such as:
– userPassword: property needs to be set in the readonly ldif file or it won’t create the object
– readonly-user_access.ldif has to be pushed with (sudo) ldapmodify -h ldapi:/// -f xxx.ldif -D “cn=admin,dc=domain,dc=tld” -W -x
– ldap_default_authtok in sssd.conf is your actual readonly user password
Cheers
Thank you for the feedback Anon