Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

2
1110

In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 10/9. SSSD is an acronym for System Security Services Daemon and it is used to provides access to different identity and authentication providers.

SSSD also allows a local service to check with a local cache in SSSD that can be taken from any remote identity providers such as OpenLDAP directory.

SSSD also caches users and credentials, such that if the local system or the identity provider goes offline, the user credentials are still available to services to verify.

Note that sssd does not support authentication over an unencrypted channel. Hence, to proceed with this guide, you need to have configured OpenLDAP over SSL/TLS. Follow the link below;

Setup OpenLDAP Server with SSL/TLS on Debian 10

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Run System Update

apt update

Install SSSD and Required Packages

Run the command below to install SSSD on Debian 10/Debian 9 and other required packages.

apt install sssd libpam-sss libnss-sss

Configure SSSD for OpenLDAP Authentication

Once the installation is done, proceed to configure SSSD for OpenLDAP authentication.

Create OpenLDAP Bind DN for Read Access

Before we can configure SSSD, we are going to create a read only user on our LDAP server to which we can bind authenticating users.

Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client’s privileges.

The commands below are run on our OpenLDAP server.

Create OpenLDAP Server ReadOnly Bind User

Create the read only user attributes LDIF file. In this case, we created the user called readonly.

vim ldap-readonly-user.ldif
dn: cn=readonly,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole

Next, add the readonly user to slapd database.

ldapadd -H ldapi:/// -f ldap-readonly-user.ldif -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -x

Set the password for the readonly user created above.

ldappasswd -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -S cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com

Create OpenLDAP Access Control Lists

Create the Access control list for the read-only user created above. We are simply going to modify the existing OpenLDAP default acls.

vim readonly-user_access.ldif
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none

The readonly user created is allowed to view the attributes on base DN, ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com.

To confirm the ACLs, run the command below

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
 ,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,d
 c=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth b
 y * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,d
 c=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=
 com" read by self write by anonymous auth by * none

The next commands are run on the OpenLDAP Client.

Create SSSD Configuration File On LDAP Client

Create the SSSD configuration file under the /etc/sssd directory with the content below;

vim /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]
override_shell = /bin/bash

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = hacker
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/openldap/certs/cacert.pem
ldap_tls_cacertdir = /etc/ssl/openldap/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
access_provider = simple
ldap_access_filter = memberUid=uid=mibeyam,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com

Ensure that the OpenLDAP server is reachable by hostname as defined in the SSSD configuration file. If you don’t have a DNS server, you can update the hosts file as shown below;

echo "192.168.56.105 ldapmaster.kifarunix-demo.com ldapmaster" >> /etc/hosts

Next, copy the OpenLDAP server CA certificate to OpenLDAP client. See the directory specified by ldap_tls_cacertdir option. If you have a direct root access to the OpenLDAP server, simply copy it as follows.

Ensure the OpenLDAP certs directory exists. If not, create it.

[[ -d /etc/ssl/openldap/certs ]] || mkdir -p /etc/ssl/openldap/certs

Next, copy the CA certificate from OpenLDAP server

scp [email protected]:/etc/ssl/openldap/certs/cacert.pem /etc/ssl/openldap/certs/

Open the /etc/ldap/ldap.conf and set the location of the CA certificate file copied from the OpenLDAP server.

vim /etc/ldap/ldap.conf

Replace the value of the TLS_CACERT to the directory in which the OpenLDAP server CA cert copied above is stored on the OpenLDAP client.

...
# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/openldap/certs/cacert.pem

After that, set the read/write access to /etc/sssd/ for the owner (root).

chmod 600 -R /etc/sssd

Restart SSSD service

systemctl restart sssd

Check the status of SSSD to ensure that it is running.

systemctl status sssd
● sssd.service - System Security Services Daemon
   Loaded: loaded (/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-09-18 15:19:55 EDT; 5s ago
 Main PID: 10843 (sssd)
    Tasks: 4 (limit: 4915)
   CGroup: /system.slice/sssd.service
           ├─10843 /usr/sbin/sssd -i -f
           ├─10844 /usr/lib/x86_64-linux-gnu/sssd/sssd_be --domain default --uid 0 --gid 0 --debug-to-files
           ├─10845 /usr/lib/x86_64-linux-gnu/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
           └─10846 /usr/lib/x86_64-linux-gnu/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files

Sep 18 15:19:54 debian systemd[1]: Starting System Security Services Daemon...
Sep 18 15:19:54 debian sssd[10843]: Starting up
Sep 18 15:19:55 debian sssd[be[10844]: Starting up
Sep 18 15:19:55 debian sssd[10845]: Starting up
Sep 18 15:19:55 debian sssd[10846]: Starting up
Sep 18 15:19:55 debian systemd[1]: Started System Security Services Daemon.

Verify that the user is created using the id command. You should get the user and group id of the user.

id mibeyam
uid=10000(mibeyam) gid=10000(mibeyam) groups=10000(mibeyam)

Next configure Pluggable Authentication Module (PAM) to automatically create user’s home directory on first login.

This can be done by editing the /etc/pam.d/common-session configuration file as follows;

vim /etc/pam.d/common-session

Add the line below just after the line, session optional pam_sss.so.

session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
...
# since the modules above will each just jump around
session required pam_permit.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so 
session optional pam_sss.so 
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session optional pam_systemd.so 
# end of pam-auth-update config

Save and quit the configuration.

You can now login as the LDAP user, mibeyam in this case.

[email protected]:~# su - mibeyam
Creating directory '/home/mibeyam'.
[email protected]:~$
[email protected]:~$ whoami
mibeyam
[email protected]:~$ pwd
/home/mibeyam
[email protected]:~$

To that far, you have learnt how to configure SSSD for OpenLDAP Client Authentication on Debian 10/9.

Related Tutorials

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7

2 COMMENTS

  1. Hi, thanks for this nice article. For future readers it is missing a few details tho, such as:
    – userPassword: property needs to be set in the readonly ldif file or it won’t create the object
    – readonly-user_access.ldif has to be pushed with (sudo) ldapmodify -h ldapi:/// -f xxx.ldif -D “cn=admin,dc=domain,dc=tld” -W -x
    – ldap_default_authtok in sssd.conf is your actual readonly user password
    Cheers

LEAVE A REPLY

Please enter your comment!
Please enter your name here