wiki:PrincetonLDAPAuthentication6

Version 6 (modified by brose, 12 years ago) (diff)

--

Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production!

The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = oit

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/oit]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = o=Princeton University,c=US
id_provider = ldap
ldap_uri = ldap://ldap.princeton.edu/
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/pki/tls/certs
min_id = 1
enumerate = true

You will also need to make sure to use this SSSD configuration in PAM. Update /etc/nsswitch.conf accordingly:

passwd:     files sss
shadow:     files sss
group:      files sss
netgroup:   files sss

Also, update /etc/pam.d/system-auth-ac and password-auth-ac to include references to sss:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 100 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Someone else once wrote this, but it no longer seems relevant as it disables sssd:

For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run:

authconfig --enableldapauth --ldapserver=ldaps://ldap.princeton.edu --ldapbasedn="o=Princeton University,c=US" --ldaploadcacert=file:///etc/pki/tls/certs/ca-bundle.crt --disablesssdauth --disablesssd --updateall --enableforcelegacy