Here is an SSSD configuration that is working in production against OIT LDAP. You will still need to manage certificates properly to use this in a secure manner. While you are testing, you can add "ldap_tls_reqcert = allow" as a line under the domain definition. This will help you debug by ruling out any certificate issues. DO NOT use that line in production!
The only real deviations from a standard config is the addition of "min_id = 1", as OIT has group IDs in the 10s-20s. "enumerate = true" will create a local precache, and allows tools such as finger to operate normally.
[sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = oit [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/oit] auth_provider = ldap ldap_id_use_start_tls = True chpass_provider = ldap cache_credentials = True krb5_realm = EXAMPLE.COM ldap_search_base = o=Princeton University,c=US id_provider = ldap ldap_uri = ldap://ldap.princeton.edu/ krb5_kdcip = kerberos.example.com ldap_tls_cacertdir = /etc/pki/tls/certs min_id = 1 enumerate = true
You will also need to make sure to use this SSSD configuration in PAM. Update /etc/nsswitch.conf accordingly:
passwd: files sss shadow: files sss group: files sss netgroup: files sss
Also, update /etc/pam.d/system-auth-ac and password-auth-ac to include references to sss:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 100 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
Someone else once wrote this, but it no longer seems relevant as it disables sssd:
For authentication only (no user database) make sure you have nss-pam-ldapd rpm installed and then run:
authconfig --enableldapauth --ldapserver=ldaps://ldap.princeton.edu --ldapbasedn="o=Princeton University,c=US" --ldaploadcacert=file:///etc/pki/tls/certs/ca-bundle.crt --disablesssdauth --disablesssd --updateall --enableforcelegacy
