The Geek Diary

How to configure LDAP Client on CentOS/RHEL 6 using SSSD

by

Starting from Oracle Linux 6/ RedHat Linux 6 LDAP service started to use SSSD which is also recommended to use.

SSSD

The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.

Note: SSSD does not support authentication over an unencrypted channel. If LDAP authentication is enable, either TLS/SSL or LDAPS is required. If the LDAP server is used only as an identity provider an encrypted channel is not needed.

Installation and configuration

1. First Install SSSD package:

# yum install sssd sssd-client

2. Run authconfig tool to enable openldap and sssd:

# authconfig --enablesssd --enablesssdauth --ldapserver="" --ldapbasedn="[ldap-base-dn]" --enableldaptls --update

3. If Server has also Graphic UI ( Gnome ) we can execute command:

# authconfig-gtk

And run configuration through GUI Mode:

authconfig-gtk configure LDAP client

Configure the file /etc/nsswitch.conf to use sss as the 2nd option for passwd, shadow and group sections.

# vi /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss

Common Issues

If for some reason users are not able too ‘see’ their secondary groups while running id command, this issue might be related to LDAP Schema which might be set wrong on client side or AD side.

Verify sssd.conf file in /etc/sssd/ dir – although sssd.conf file must be created and configured manually, since SSSD is not configured after installation.

Example output:

# cat /etc/sssd/sssd.conf
[domain/AD]
description = LDAP domain with AD server
enumerate = false
min_id = 1000
;
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://your.ad.server.com
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com
ldap_default_authtok_type = password
ldap_default_authtok = YOUR_PASSWORD
ldap_user_object_class = person
ldap_user_name = msSFU30Name
ldap_user_uid_number = msSFU30UidNumber
ldap_user_gid_number = msSFU30GidNumber
ldap_user_home_directory = msSFU30HomeDirectory
ldap_user_shell = msSFU30LoginShell
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = msSFU30Name
ldap_group_gid_number = msSFU30GidNumber

Verify what schema is used on AD, mostly this should be rfc2307bis but this can vary. Please note that above sssd.conf is example, it will all depend from AD configuration – in case of any concerns please check man pages for sssd.conf for details.

# man sssd.conf

After Schema change flush sssd cache with command as follows:

# sss_cache -d DOMAIN_NAME_USED

And restart sssd service

# service sssd restart

You May Also Like