Install and Configure SSSD for OpenLDAP Authentication on Fedora 32/31/30

|
Last Updated:
|
|

In tutorial, you will learn how to install and configure SSSD for OpenLDAP Authentication on Fedora 32/31/30. SSSD is an acronym for System Security Services Daemon (SSSD). “The primary function of SSSD is to provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It provides several interfaces, including NSS and PAM modules or a D-Bus interface”.

Benefits of using SSSD for remote identity and authentication include;

  • Reduced load on identity and authentication servers: Once the SSSD has contacted the identity and authentication server, it caches the information and hence, subsequent request of this information is drawn from the cache, hence reducing the load on the backend servers.
  • Offline authentication: SSSD can be configured to keep a cache of user identities and credentials for a specified period of time. This enables users to authenticate to resources even if the remote server or the SSSD client are offline.
  • A single user account: SSSD credentials and account information caching invalidates the need to maintain both a central account and a local user account for offline authentication.

As we continue with this guide, we assume that you already have an OpenLDAP server up and running. If you, follow the link below to install and configure OpenLDAP server on CentOS 8.

Install and Setup OpenLDAP on CentOS 8

Install SSSD for OpenLDAP Authentication on Fedora

Run System Update

Before you can proceed, ensure that your system packages are up-to-date.

dnf update

Install SSSD on Fedora 32/31/30

Run the command below to install SSSD and other SSSD tools on Fedora 32/31/30. (this might already be installed by default).

dnf install sssd sssd-tools

Configure SSSD for OpenLDAP Authentication

Once the install of SSSD and its tools is done, proceed to configure it for your OpenLDAP authentication.

Note that, by default, SSSD does not ship with a configuration file. As such, you need to create an SSSD configuration (sssd.conf, by default) file under the configuration directory, /etc/sssd to define your OpenLDAP authentication settings.

vim /etc/sssd/sssd.conf

Below is our sample SSSD configuration details. Be sure to make the relevant changes in the configurations below to reflect your OpenLDAP environment setup.


[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

If you are providing SUDO rights via OpenLDAP, your SSSD should include the SUDO services and the SUDOERS search base, The SSSD configuration file would then look like;


[sssd]
services = nss, pam, sudo
config_file_version = 2
domains = default

[sudo]

[nss]

[pam]
offline_credentials_expiration = 60

[domain/default]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
sudo_provider = ldap
ldap_uri = ldap://ldapmaster.kifarunix-demo.com
ldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_default_authtok = P@ssWOrd
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/cacert.crt
ldap_tls_cacertdir = /etc/pki/tls
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

For a detailed of all the options/parameters used in the SSSD configuration, please refer to, man sssd.conf.

Follow the link below to learn how to configure OpenLDAP to provide SUDO rights to authenticating clients.

How to Configure SUDO via OpenLDAP Server

Install OpenLDAP CA Certificate on Fedora 32/31/30

SSSD requires that the communication channel be encrypted. As such, OpenLDAP has to be configured with SSL (uri uses ldaps://) or TLS (uri used ldap://).

If you OpenLDAP is configured with SSL (LDAP is listening on port 636), run the command below to download the CA certificate;

openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

If you OpenLDAP is configured with TLS (LDAP is listening on port 389), run the command below to download the CA certificate;

openssl s_client -connect ldapmaster.kifarunix-demo.com:389 -starttls ldap -showcerts < /dev/null | openssl x509 -text | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'

The certificate is displayed on the standard output.


-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww
...
...
Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

You need to copy this certificate and install in the file specified by the line, ldap_tls_cacert = /etc/pki/tls/cacert.crt.

vim /etc/pki/tls/cacert.crt

Paste the certificate in here;


-----BEGIN CERTIFICATE-----
MIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL
BQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww
...
...
Uy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs
Igf9K1e9M0Q+j2XEsTeCYVU/v0Jt0kER0+V/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp
ARWZ
-----END CERTIFICATE-----

Save and exit the file.

Configure NSS and PAM for SSSD Authentication on Fedora 32/31/30

Update the NSS and PAM to use SSSD to manage authentication resources. Authselect is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.

Configure SSSD Profile on Fedora 32/31/30

Authselect command when used to create an SSSD profile, modify the files below;

  • /etc/pam.d/system-auth
  • /etc/pam.d/password-auth
  • /etc/pam.d/fingerprint-auth
  • /etc/pam.d/smartcard-auth
  • /etc/pam.d/postlogin
  • /etc/nsswitch.conf

Therefore, make a backup of these files just in case things don’t work out.

cp -r /etc/pam.d{,.original}
cp /etc/nsswitch.conf{,.original}

Create an SSSD profile. This command will overwrite the nsswitch maps.

authselect select sssd

Next, if you have configured SUDO via OpenLDAP, the system to fetch sudo rights from SSSD/OpenLDAP, hence edit the /etc/nsswitch.conf to include the line below.

sudoers:    files sss

You can simply echo the line into the configuration file as shown below;

echo "sudoers:    files sss" >> /etc/nsswitch.conf

Configure Automatic Home Directory Creation At Login

To enable automatic home directory creation for user upon first login, you need to install the oddjob-mkhomedir, which provides the pam_oddjob_mkhomedir module to create a home directory for a user at login-time.

dnf install oddjob-mkhomedir

Start and enable oddjobd to run on system boot.

systemctl enable --now oddjobd

Load the pam_oddjob_mkhomedir module in PAM auth file /etc/pam.d/system-auth to enable auto home directory creation.

echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth

Restart oddjobd.

systemctl restart oddjobd

Running SSSD on Fedora 32/31/30

Before you can start SSSD, you need to check configuration for any typos or permissions;

sssctl config-check
File ownership and permissions check failed. Expected root:root and 0600.

As per the check output, set the read/write access to /etc/sssd/ for the owner (root).

chown -R root:root /etc/sssd
chmod 600 -R /etc/sssd

The configuration is now done. Start and enable SSSD to run on system boot.

systemctl enable --now sssd

Check the status.

systemctl status sssd

● sssd.service - System Security Services Daemon
     Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2020-08-27 19:31:25 EAT; 2h 22min ago
   Main PID: 663 (sssd)
      Tasks: 3 (limit: 2332)
     Memory: 7.6M
        CPU: 713ms
     CGroup: /system.slice/sssd.service
             ├─663 /usr/sbin/sssd -i --logger=files
             ├─806 /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
             └─807 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files

Aug 27 19:30:58 fedora32.kifarunix-demo.com systemd[1]: Starting System Security Services Daemon...
Aug 27 19:31:24 fedora32.kifarunix-demo.com sssd[663]: Starting up
Aug 27 19:31:24 fedora32.kifarunix-demo.com be[implicit_files][806]: Starting up
Aug 27 19:31:25 fedora32.kifarunix-demo.com nss[807]: Starting up
Aug 27 19:31:25 fedora32.kifarunix-demo.com systemd[1]: Started System Security Services Daemon.

Verify OpenLDAP Authentication via SSSD

The installation and configuration of SSSD for OpenLDAP authentication on Fedora 32/31/30 is done. It is now time to verify the system authentication via OpenLDAP.

First, confirm that you can see your LDAP username on your system using id command.

id janedoe
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)

Once the confirmation is done, you can verify the login. You can use SSH or GUI login on desktops systems.

ssh -l janedoe localhost
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:JyAO5/n9crE8qa923r0W0Ocw47LuVJFGuLZvnwRUM8k.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
janedoe@localhost's password: 
[janedoe@fedora32 ~]$
[janedoe@fedora32 ~]$ whoami
janedoe
[janedoe@fedora32 ~]$ pwd
/home/janedoe
[janedoe@fedora32 ~]$

Other Related Tutorials

How to Create OpenLDAP Member Groups

Configure SSSD for OpenLDAP Client Authentication on Debian 10/9

Setup OpenLDAP Server with SSL/TLS on Debian 10

Install and Configure OpenLDAP server on Fedora 29

Configure OpenLDAP Client on Debian 9 Stretch

Install and Configure OpenLDAP Server on Debian 9 Stretch

SUPPORT US VIA A VIRTUAL CUP OF COFFEE

We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
koromicha
I am the Co-founder of Kifarunix.com, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

Leave a Comment