SSSD and LDAP
SSSD can also use LDAP for authentication, authorization, and user/group information. In this section we will configure a host to authenticate users from an OpenLDAP directory.
Prerequisites, Assumptions, and Requirements
For this setup, we need:
- an existing OpenLDAP server with SSL enabled and using the RFC2307 schema for users and groups
- a client host where we will install the necessary tools and login as a user from the LDAP server
Software Installation
Install the following packages:
sudo apt install sssd-ldap ldap-utils
SSSD Configuration
Create the /etc/sssd/sssd.conf
configuration file, with permissions 0600 and ownership root:root, and this content:
[sssd]
config_file_version = 2
domains = example.com
[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap01.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com
Make sure to start the sssd service:
sudo systemctl start sssd.service
Note
sssd will use START_TLS by default for authentication requests against the LDAP server (the auth_provider), but not for the id_provider. If you want to also enable START_TLS for the id_provider, specify
ldap_id_use_start_tls = true
.
Automatic home directory creation
To enable automatic home directory creation, run the following command:
sudo pam-auth-update --enable mkhomedir
Check SSL setup on the client
The client must be able to use START_TLS when connecting to the LDAP server, with full certificate checking. This means:
- the client host knows and trusts the CA that signed the LDAP server certificate
- the server certificate was issued for the correct host (
ldap01.example.com
in this guide) - the time is correct on all hosts performing the TLS connection
- and, of course, that neither certificate (CA or server’s) expired
If using a custom CA, an easy way to have a host trust it is to place it in /usr/local/share/ca-certificates/
with a .crt
extension and run sudo update-ca-certificates
.
Alternatively, you can edit /etc/ldap/ldap.conf
and point TLS_CACERT
to the CA public key file.
Note
You may have to restart
sssd
after these changes:sudo systemctl restart sssd
Once that is all done, check that you can connect to the LDAP server using verified SSL connections:
$ ldapwhoami -x -ZZ -H ldap://ldap01.example.com
anonymous
and for ldaps
(if enabled in /etc/default/slapd
):
$ ldapwhoami -x -H ldaps://ldap01.example.com
The -ZZ
parameter tells the tool to use START_TLS, and that it must not fail. If you have LDAP logging enabled on the server, it will show something like this:
slapd[779]: conn=1032 op=0 STARTTLS
slapd[779]: conn=1032 op=0 RESULT oid= err=0 text=
slapd[779]: conn=1032 fd=15 TLS established tls_ssf=256 ssf=256
slapd[779]: conn=1032 op=1 BIND dn="" method=128
slapd[779]: conn=1032 op=1 RESULT tag=97 err=0 text=
slapd[779]: conn=1032 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.3
slapd[779]: conn=1032 op=2 WHOAMI
slapd[779]: conn=1032 op=2 RESULT oid= err=0 text=
START_TLS with err=0 and TLS established is what we want to see there, and, of course, the WHOAMI extended operation.
Final verification
In this example, the LDAP server has the following user and group entry we are going to use for testing:
dn: uid=john,ou=People,dc=example,dc=com
uid: john
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
sn: Smith
givenName: John
mail: john@example.com
userPassword: johnsecret
uidNumber: 10001
gidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/john
dn: cn=john,ou=Group,dc=example,dc=com
cn: john
objectClass: posixGroup
gidNumber: 10001
memberUid: john
dn: cn=Engineering,ou=Group,dc=example,dc=com
cn: Engineering
objectClass: posixGroup
gidNumber: 10100
memberUid: john
The user john should be known to the system:
ubuntu@ldap-client:~$ getent passwd john
john:*:10001:10001:John Smith:/home/john:/bin/bash
ubuntu@ldap-client:~$ id john
uid=10001(john) gid=10001(john) groups=10001(john),10100(Engineering)
And we should be able to authenticate as john:
ubuntu@ldap-client:~$ sudo login
ldap-client login: john
Password:
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-24-generic x86_64)
(...)
Creating directory '/home/john'.
john@ldap-client:~$