wiki:PrincetonLDAPAuthentication6
close Warning: Can't synchronize with repository "(default)" (/data/svn does not appear to be a Subversion repository.). Look in the Trac log for more information.

Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production!

The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally.

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = oit

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[domain/oit]
auth_provider = ldap
ldap_id_use_start_tls = True
chpass_provider = ldap
cache_credentials = True
krb5_realm = EXAMPLE.COM
ldap_search_base = o=Princeton University,c=US
id_provider = ldap
ldap_uri = ldap://ldap.princeton.edu/
krb5_kdcip = kerberos.example.com
ldap_tls_cacertdir = /etc/pki/tls/certs
min_id = 1
enumerate = true

You will also need to make sure to use this SSSD configuration in PAM. Update /etc/nsswitch.conf accordingly:

passwd:     files sss
shadow:     files sss
group:      files sss
netgroup:   files sss

Also, update /etc/pam.d/system-auth-ac and password-auth-ac to include references to sss:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 100 quiet
auth        sufficient    pam_sss.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

Someone else once wrote this, but it no longer seems relevant as it disables sssd:

For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run:

authconfig --enableldapauth --ldapserver=ldaps://ldap.princeton.edu --ldapbasedn="o=Princeton University,c=US" --ldaploadcacert=file:///etc/pki/tls/certs/ca-bundle.crt --disablesssdauth --disablesssd --updateall --enableforcelegacy

Last modified 10 years ago Last modified on Jan 7, 2013 10:40:37 AM