Configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9

Last Updated:

In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 12/11/10/9. SSSD is an acronym for System Security Services Daemon and it is used to provides access to different identity and authentication providers.


  • Support for multiple authentication mechanisms: SSSD allows a local service to check with a local cache in SSSD that can be taken from any remote identity providers such as OpenLDAP directory.
  • Improved performance: SSSD also caches users and credentials, such that if the local system or the identity provider goes offline, the user credentials are still available to services to verify. This can also reduce the load on the identity server. 
  • Increased Security: SSSD works only over an encrypted channel, which is a plus when it comes to LDAP user account security.
  • Scalability and Flexibility: OpenLDAP, combined with SSSD, offers scalability and flexibility for growing environments. You can easily add or remove user accounts, manage user attributes, and adjust access permissions across multiple systems simultaneously, without the need to configure each system individually.

Hence, to proceed with this guide, you need to have configured OpenLDAP over SSL/TLS.

Check our guides on how to install setup OpenLDAP server with SSL/TLS.

Configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9

Configure OpenLDAP Server BIND DN for Read Access

Create OpenLDAP ReadOnly BIND DN

Before you can configure SSSD for OpenLDAP client authentication, you need to create a read only user on our LDAP server to which we can bind authenticating users.

Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client’s privileges.

If you don’t already have Read BIND DN set on your OpenLDAP server, then proceed to run the commands below the OpenLDAP server.

Create the read only user attributes LDIF file. In this case, we created the BIND user called readonly.

Replace the domains names accordingly.

cat > ldap-readonly-user.ldif << 'EOL'
dn: cn=readonly,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com
cn: readonly
objectClass: simpleSecurityObject
objectClass: organizationalRole

Next, add the readonly user to slapd database.

ldapadd -H ldapi:/// -f ldap-readonly-user.ldif \
-D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" -W -x

Set the password for the readonly user created above.

ldappasswd -x -D "cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com" \
-W -S cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com

Create OpenLDAP Access Control Lists

Similarly, if you don't already have ACLs in place, create the Access control list for the read-only user BIND DN created above. We are simply going to modify the existing OpenLDAP default ACLs.

cat > readonly-user_access.ldif << 'EOL'
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
  by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" write
  by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com" read
  by self write
  by anonymous auth
  by * none

The readonly user created is allowed to view the attributes on base DN, ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com.

To confirm the ACLs, run the command below

ldapsearch -Q -LLL -Y EXTERNAL \
-H ldapi:/// -b cn=config '(olcDatabase={1}mdb)' olcAccess

dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,ou=People
 ,dc=ldapmaster,dc=kifarunix-demo,dc=com" write by dn="cn=readonly,ou=People,d
 c=ldapmaster,dc=kifarunix-demo,dc=com" read by self write by anonymous auth b
 y * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,d
 c=com" write by dn="cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=
 com" read by self write by anonymous auth by * none

Configure SSSD for OpenLDAP Client Authentication

The next commands are run on the OpenLDAP Client.

Run System Update

Update system package cache;

apt update

Install SSSD and Required Packages

Run the command below to install SSSD on Debian 12/11/10/9 and other required packages.

apt install sssd libpam-sss libnss-sss sssd-tools libsss-sudo

Once the installation is done, proceed to configure SSSD for OpenLDAP client authentication.

Create SSSD Configuration File On LDAP Client

Create the SSSD configuration file under the /etc/sssd directory with the content below.

Replace the domain names accordingly.

Ensure that the OpenLDAP server is reachable by hostname as defined in the SSSD configuration file.

Replace the BIND password accordingly as well.

cat > /etc/sssd/sssd.conf << 'EOF'
services = nss, pam
config_file_version = 2
domains = default

override_shell = /bin/bash

offline_credentials_expiration = 60

ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://
ldap_default_bind_dn = cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = BIND_PASS
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/ssl/openldap/certs/cacert.pem
ldap_tls_cacertdir = /etc/ssl/openldap/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
access_provider = simple
ldap_access_filter = memberUid=uid=johndoe,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com

If you don't have a DNS server, you can update the hosts file. For example

echo " ldapmaster" >> /etc/hosts

Next, copy the OpenLDAP server CA certificate to OpenLDAP client. See the directory specified by ldap_tls_cacertdir option. If you have a direct root access to the OpenLDAP server, simply copy it as follows.

Ensure the OpenLDAP certs directory exists. If not, create it.

[[ -d /etc/ssl/openldap/certs ]] || mkdir -p /etc/ssl/openldap/certs

Next, copy the CA certificate from OpenLDAP server to the client.

You can simply download the CA cert form LDAP server. Replace the address accordingly.

openssl s_client -connect \
-showcerts -starttls ldap </dev/null 2>/dev/null | openssl x509 -outform PEM > /etc/ssl/openldap/certs/cacert.pem

Open the /etc/ldap/ldap.conf and set the location of the CA certificate file copied from the OpenLDAP server.

vim /etc/ldap/ldap.conf

Replace the value of the TLS_CACERT to the directory in which the OpenLDAP server CA cert copied above is stored on the OpenLDAP client.

# TLS certificates (needed for GnuTLS)
#TLS_CACERT     /etc/ssl/certs/ca-certificates.crt
TLS_CACERT      /etc/ssl/openldap/certs/cacert.pem

After that, set the read/write access to /etc/sssd/ for the owner (root).

chmod 600 -R /etc/sssd

Restart SSSD service

systemctl restart sssd

Check the status of SSSD to ensure that it is running.

systemctl status sssd

● sssd.service - System Security Services Daemon
     Loaded: loaded (/lib/systemd/system/sssd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2023-07-07 20:39:33 CEST; 2s ago
   Main PID: 4316 (sssd)
      Tasks: 4 (limit: 2284)
     Memory: 44.4M
        CPU: 162ms
     CGroup: /system.slice/sssd.service
             ├─4316 /usr/sbin/sssd -i --logger=files
             ├─4317 /usr/libexec/sssd/sssd_be --domain default --uid 0 --gid 0 --logger=files
             ├─4318 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
             └─4319 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Jul 07 20:39:33 bookworm systemd[1]: Starting sssd.service - System Security Services Daemon...
Jul 07 20:39:33 bookworm sssd[4316]: Starting up
Jul 07 20:39:33 bookworm sssd_be[4317]: Starting up
Jul 07 20:39:33 bookworm sssd_pam[4319]: Starting up
Jul 07 20:39:33 bookworm sssd_nss[4318]: Starting up
Jul 07 20:39:33 bookworm systemd[1]: Started sssd.service - System Security Services Daemon.

Configure Automatic Home Creation for OpenLDAP Users

Next configure Pluggable Authentication Module (PAM) to automatically create user's home directory on first login.

This can be done by editing the /etc/pam.d/common-session configuration file as follows;

vim /etc/pam.d/common-session

Add the line below just after the line, session optional

session required skel=/etc/skel/ umask=0022

# since the modules above will each just jump around
session required
# and here are more per-package modules (the "Additional" block)
session required 
session optional 
session required skel=/etc/skel/ umask=0022
session optional 
# end of pam-auth-update config

Save and quit the configuration.

Verify OpenLDAP Authentication using SSSD

Verify that the user is created using the id command. You should get the user and group id of the user.

id johndoe
uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)

You can now login as the LDAP user, mibeyam in this case.

root@bookworm:~# su - johndoe
Creating directory '/home/johndoe'.
johndoe@bookworm:~$ whoami
johndoe@bookworm:~$ pwd

To that far, you have learnt how to configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9.

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

How to Install FreeIPA Server on Fedora 29/Fedora 28/CentOS 7


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

2 thoughts on “Configure SSSD for OpenLDAP Client Authentication on Debian 12/11/10/9”

  1. Hi, thanks for this nice article. For future readers it is missing a few details tho, such as:
    – userPassword: property needs to be set in the readonly ldif file or it won’t create the object
    – readonly-user_access.ldif has to be pushed with (sudo) ldapmodify -h ldapi:/// -f xxx.ldif -D “cn=admin,dc=domain,dc=tld” -W -x
    – ldap_default_authtok in sssd.conf is your actual readonly user password


Leave a Comment