Configure SSSD with LDAP on CentOS/RHEL7 Client
Learn how to set up SSSD with LDAP on your CentOS/RHEL7 client to centralize authentication and access control in your environment, ensuring secure and efficient user management.
Replace ‘certfile.crt’ with your own .crt file.
Before proceeding make sure you have a CA certificate created, learn how to by clicking here.
1. Place the CA certificate in the necessary directory:
/opt/symas/ssl/ca/certfile.crt
2. If /opt/symas/ssl/ca/ does not exist, create the directory:
mkdir -p /opt/symas/ssl/ca/
3. Install SSSD client on the CentOS/RHEL7 client:
yum update
yum install sssd sssd-client sssd-tools oddjob-mkhomedir
4. Configure nsswitch.conf:
vi /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: sss files systemd
group: sss files systemd
shadow: files sss
gshadow: files
hosts: files dns
networks: files
protocols: db files
services: db files sss
ethers: db files
rpc: db files
netgroup: nis sss
automount: sss
5. Create and Configure SSSD configuration:
vi /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = sraeng
[nss]
[pam]
offline_credentials_expiration = 60
[domain/example]
ldap_id_use_start_tls = True
cache_credentials = True
ldap_search_base = ou=people,dc=example,dc=com
ldap_group_search_base = ou=groups,dc=example,dc=com?subtree?
(objectclass=posixGroup)
ldap_netgroup_search_base = ou=netgroups,dc=example,dc=com?subtree?
(objectclass=nisNetGroup)
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://example.com
ldap_default_bind_dn = cn=admin,dc=example,dc=com
ldap_default_authtok = secret
ldap_tls_reqcert = demand
ldap_tls_cacert = /opt/symas/ssl/ca/certfile.crt
ldap_tls_cacertdir = /opt/symas/ssl/ca
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
enumerate = True
6. Set proper permissions for sssd folder and content:
chown -R root:root /etc/sssd/
chmod -R 600 /etc/sssd/
7. Configure auto-home directory creation:
echo "session optional pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0022" >> /etc/pam.d/system-auth
8. If /etc/pam.d/common-session exists, perform the following:
vi /etc/pam.d/common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of interactive sessions.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules. See
# pam-auth-update(8) for details.
# here are the per-package modules (the "Primary" block)
session [default=1] pam_permit.so
# here's the fallback if no module succeeds
session requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
session required pam_permit.so
# The pam_umask module will set the umask according to the system default in
# /etc/login.defs and user settings, solving the problem of different
# umask settings with different shells, display managers, remote sessions etc.
# See "man pam_umask".
session optional pam_umask.so
# and here are more per-package modules (the "Additional" block)
session required pam_unix.so
session optional pam_sss.so
session optional pam_ldap.so
session optional pam_systemd.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
# end of pam-auth-update config
9. Use authconfig to recalibrate login process for pam:
authconfig --enablesssdauth --enablesssd --enablemkhomedir --updateall
If you receive the error ‘authconfig: command not found’, use the following command to install the utility:
yum install authconfig
10. Enable the 'oddjobd' and 'sssd' service to start automatically when the system reboots:
systemctl enable --now oddjobd
systemctl enable --now sssd
11. Check sssd.conf for errors:
sssctl config-check
12. To clear SSSD cache, if needed:
service sssd stop
sss_cache -E
rm -f /var/lib/sss/db/*
service sssd start