Starting from Oracle Linux 6/ RedHat Linux 6 LDAP service started to use SSSD which is also recommended to use.
The System Security Services Daemon (SSSD) is a service which provides access to different identity and authentication providers. You can configure SSSD to use a native LDAP domain (that is, an LDAP identity provider with LDAP authentication), or an LDAP identity provider with Kerberos authentication. It provides an NSS and PAM interface to the system, and a pluggable back-end system to connect to multiple different account sources.
Installation and configuration
1. First Install SSSD package:
# yum install sssd sssd-client
2. Run authconfig tool to enable openldap and sssd:
# authconfig --enablesssd --enablesssdauth --ldapserver="
" --ldapbasedn="[ldap-base-dn]" --enableldaptls --update
3. If Server has also Graphic UI ( Gnome ) we can execute command:
And run configuration through GUI Mode:
Configure the file /etc/nsswitch.conf to use sss as the 2nd option for passwd, shadow and group sections.
# vi /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss
If for some reason users are not able too ‘see’ their secondary groups while running id command, this issue might be related to LDAP Schema which might be set wrong on client side or AD side.
Verify sssd.conf file in /etc/sssd/ dir – although sssd.conf file must be created and configured manually, since SSSD is not configured after installation.
# cat /etc/sssd/sssd.conf [domain/AD] description = LDAP domain with AD server enumerate = false min_id = 1000 ; id_provider = ldap auth_provider = ldap ldap_uri = ldap://your.ad.server.com ldap_schema = rfc2307bis ldap_search_base = dc=example,dc=com ldap_default_bind_dn = cn=Administrator,cn=Users,dc=example,dc=com ldap_default_authtok_type = password ldap_default_authtok = YOUR_PASSWORD ldap_user_object_class = person ldap_user_name = msSFU30Name ldap_user_uid_number = msSFU30UidNumber ldap_user_gid_number = msSFU30GidNumber ldap_user_home_directory = msSFU30HomeDirectory ldap_user_shell = msSFU30LoginShell ldap_user_principal = userPrincipalName ldap_group_object_class = group ldap_group_name = msSFU30Name ldap_group_gid_number = msSFU30GidNumber
Verify what schema is used on AD, mostly this should be rfc2307bis but this can vary. Please note that above sssd.conf is example, it will all depend from AD configuration – in case of any concerns please check man pages for sssd.conf for details.
# man sssd.conf
After Schema change flush sssd cache with command as follows:
# sss_cache -d DOMAIN_NAME_USED
And restart sssd service
# service sssd restart