{"id":4117,"date":"2019-09-18T23:02:00","date_gmt":"2019-09-18T20:02:00","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4117"},"modified":"2023-08-09T10:02:58","modified_gmt":"2023-08-09T07:02:58","slug":"configure-sssd-for-openldap-client-authentication-on-debian","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian\/","title":{"rendered":"Configure SSSD for OpenLDAP Client Authentication on Debian 12\/11\/10\/9"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 12\/11\/10\/9. <a aria-label=\"SSSD (opens in a new tab)\" href=\"https:\/\/access.redhat.com\/documentation\/en-us\/red_hat_enterprise_linux\/7\/html\/system-level_authentication_guide\/sssd\" target=\"_blank\" rel=\"noreferrer noopener\">SSSD<\/a> is an acronym for System Security Services Daemon and it is used to provides access to different identity and authentication providers.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#why-sssd\">Why SSSD?<\/a><\/li><li><a href=\"#configure-sssd-for-open-ldap-client-authentication-on-debian-12-11-10-9\">Configure SSSD for OpenLDAP Client Authentication on Debian 12\/11\/10\/9<\/a><ul><li><a href=\"#configure-open-ldap-server-bind-dn-for-read-access\">Configure OpenLDAP Server BIND DN for Read Access<\/a><ul><li><a href=\"#create-open-ldap-read-only-bind-dn\">Create OpenLDAP ReadOnly BIND DN<\/a><\/li><li><a href=\"#create-open-ldap-access-control-lists\">Create OpenLDAP Access Control Lists<\/a><\/li><\/ul><\/li><li><a href=\"#configure-sssd-for-open-ldap-client-authentication\">Configure SSSD for OpenLDAP Client Authentication<\/a><ul><li><a href=\"#run-system-update\">Run System Update<\/a><\/li><li><a href=\"#install-sssd-and-required-packages\">Install SSSD and Required Packages<\/a><\/li><li><a href=\"#create-sssd-configuration-file-on-ldap-client\">Create SSSD Configuration File On LDAP Client<\/a><\/li><li><a href=\"#configure-automatic-home-creation-for-open-ldap-users\">Configure Automatic Home Creation for OpenLDAP Users<\/a><\/li><li><a href=\"#verify-open-ldap-authentication-using-sssd\">Verify OpenLDAP Authentication using SSSD<\/a><\/li><\/ul><\/li><li><a href=\"#related-tutorials\">Related Tutorials<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"why-sssd\">Why SSSD?<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Support for multiple authentication mechanisms:<\/strong> SSSD allows a local service to check with a local cache in SSSD that can be taken from any remote&nbsp;identity providers such as OpenLDAP directory.<\/li>\n\n\n\n<li><strong>Improved performance<\/strong>: SSSD also caches users and credentials, such that if the local system&nbsp;or&nbsp;the identity provider goes offline, the user credentials are still available to services to verify. This can also reduce the load on the identity server.&nbsp;<\/li>\n\n\n\n<li><strong>Increased Security<\/strong>: SSSD works only over an encrypted channel, which is a plus when it comes to LDAP user account security.<\/li>\n\n\n\n<li><strong>Scalability and Flexibility<\/strong>: OpenLDAP, combined with SSSD, offers scalability and flexibility for growing environments. You can easily add or remove user accounts, manage user attributes, and adjust access permissions across multiple systems simultaneously, without the need to configure each system individually.<\/li>\n<\/ul>\n\n\n\n<p>Hence, to proceed with this guide, you need to have configured OpenLDAP over SSL\/TLS.<\/p>\n\n\n\n<p>Check our guides on how to <a href=\"https:\/\/kifarunix.com\/?s=install+openldap\" target=\"_blank\" rel=\"noreferrer noopener\">install setup OpenLDAP server with SSL\/TLS<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configure-sssd-for-open-ldap-client-authentication-on-debian-12-11-10-9\">Configure SSSD for OpenLDAP Client Authentication on Debian 12\/11\/10\/9<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-open-ldap-server-bind-dn-for-read-access\">Configure OpenLDAP Server BIND DN for Read Access<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-read-only-bind-dn\">Create OpenLDAP ReadOnly BIND DN<\/h4>\n\n\n\n<p>Before you can configure SSSD for OpenLDAP client authentication, you need to create a read only user on our LDAP server to which we can bind authenticating users.<\/p>\n\n\n\n<p>Binding is the step where the LDAP server authenticates the client and, if the client is successfully authenticated, allows the client access to the LDAP server based on that client&#8217;s privileges.<\/p>\n\n\n\n<p>If you don&#8217;t already have Read BIND DN set on your OpenLDAP server, then proceed to run the <strong>commands below the OpenLDAP server.<\/strong><\/p>\n\n\n\n<p>Create the read only user attributes LDIF file. In this case, we created the BIND user called <code>readonly<\/code>.<\/p>\n\n\n\n<p>Replace the domains names accordingly.<\/p>\n\n\n\n<pre class=\"scroll-sz\"><code>\ncat > ldap-readonly-user.ldif &lt;&lt; 'EOL'\ndn: cn=readonly,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\ncn: readonly\nobjectClass: simpleSecurityObject\nobjectClass: organizationalRole\nEOL\n<\/pre><\/code>\n\n\n\n<p>Next, add the readonly user to slapd database.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapadd -H ldapi:\/\/\/ -f ldap-readonly-user.ldif \\\n-D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" -W -x<\/pre>\n\n\n\n<p>Set the password for the <code>readonly<\/code> user created above.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldappasswd -x -D \"cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com\" \\\n-W -S cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-open-ldap-access-control-lists\">Create OpenLDAP Access Control Lists<\/h4>\n\n\n\n<p>Similarly, if you don't already have ACLs in place, create the Access control list for the read-only user BIND DN created above. We are simply going to modify the existing OpenLDAP default ACLs.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > readonly-user_access.ldif &lt;&lt; 'EOL'\ndn: olcDatabase={1}mdb,cn=config\nchangetype: modify\nreplace: olcAccess\nolcAccess: {0}to attrs=userPassword,shadowLastChange\n  by dn=\"cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\" write\n  by dn=\"cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by self write\n  by anonymous auth\n  by * none\nolcAccess: {1}to dn.base=\"\" by * read\nolcAccess: {2}to *\n  by dn=\"cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\" write\n  by dn=\"cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\" read\n  by self write\n  by anonymous auth\n  by * none\nEOL\n<\/pre><\/code>\n\n\n\n<p>The <code>readonly<\/code> user created is allowed to view the attributes on base DN, <code>ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code>.<\/p>\n\n\n\n<p>To confirm the ACLs, run the command below<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">ldapsearch -Q -LLL -Y EXTERNAL \\\n-H ldapi:\/\/\/ -b cn=config '(olcDatabase={1}mdb)' olcAccess<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ndn: olcDatabase={1}mdb,cn=config\nolcAccess: {0}to attrs=userPassword,shadowLastChange by dn=\"cn=admin,ou=People\n ,dc=ldapmaster,dc=kifarunix-demo,dc=com\" write by dn=\"cn=readonly,ou=People,d\n c=ldapmaster,dc=kifarunix-demo,dc=com\" read by self write by anonymous auth b\n y * none\nolcAccess: {1}to dn.base=\"\" by * read\nolcAccess: {2}to * by dn=\"cn=admin,ou=People,dc=ldapmaster,dc=kifarunix-demo,d\n c=com\" write by dn=\"cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=\n com\" read by self write by anonymous auth by * none\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-sssd-for-open-ldap-client-authentication\">Configure SSSD for OpenLDAP Client Authentication<\/h3>\n\n\n\n<p><strong>The next commands are run on the OpenLDAP Client<\/strong>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"run-system-update\">Run System Update<\/h4>\n\n\n\n<p>Update system package cache;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt update<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"install-sssd-and-required-packages\">Install SSSD and Required Packages<\/h4>\n\n\n\n<p>Run the command below to install SSSD on Debian 12\/11\/10\/9 and other required packages.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">apt install sssd libpam-sss libnss-sss sssd-tools libsss-sudo<\/pre>\n\n\n\n<p>Once the installation is done, proceed to configure SSSD for OpenLDAP client authentication.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-sssd-configuration-file-on-ldap-client\">Create SSSD Configuration File On LDAP Client<\/h4>\n\n\n\n<p>Create the SSSD configuration file under the <code>\/etc\/sssd<\/code> directory with the content below.<\/p>\n\n\n\n<p>Replace the domain names accordingly.<\/p>\n\n\n\n<p>Ensure that the OpenLDAP server is reachable by hostname as defined in the SSSD configuration file.<\/p>\n\n\n\n<p>Replace the BIND password accordingly as well.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\ncat > \/etc\/sssd\/sssd.conf &lt;&lt; 'EOF'\n[sssd]\nservices = nss, pam\nconfig_file_version = 2\ndomains = default\n\n[nss]\noverride_shell = \/bin\/bash\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = BIND_PASS\nldap_tls_reqcert = never\nldap_tls_cacert = \/etc\/ssl\/openldap\/certs\/cacert.pem\nldap_tls_cacertdir = \/etc\/ssl\/openldap\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\naccess_provider = simple\nldap_access_filter = memberUid=uid=johndoe,ou=People,dc=ldapmaster,dc=kifarunix-demo,dc=com\nEOF\n<\/pre><\/code>\n\n\n\n<p>If you don't have a DNS server, you can update the hosts file. For example<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"192.168.56.103 ldapmaster.kifarunix-demo.com ldapmaster\" &gt;&gt; \/etc\/hosts<\/pre>\n\n\n\n<p>Next, copy the OpenLDAP server CA certificate to OpenLDAP client. See the directory specified by <code>ldap_tls_cacertdir<\/code> option. If you have a direct root access to the OpenLDAP server, simply copy it as follows.<\/p>\n\n\n\n<p>Ensure the OpenLDAP certs directory exists. If not, create it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[[ -d \/etc\/ssl\/openldap\/certs ]] || mkdir -p \/etc\/ssl\/openldap\/certs<\/pre>\n\n\n\n<p>Next, copy the CA certificate from OpenLDAP server to the client.<\/p>\n\n\n\n<p>You can simply download the CA cert form LDAP server. Replace the address accordingly.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl s_client -connect ldapmaster.kifarunix-demo.com:389 \\\n-showcerts -starttls ldap &lt;\/dev\/null 2&gt;\/dev\/null | openssl x509 -outform PEM &gt; \/etc\/ssl\/openldap\/certs\/cacert.pem<\/pre>\n\n\n\n<p>Open the <code>\/etc\/ldap\/ldap.conf<\/code> and set the location of the CA certificate file copied from the OpenLDAP server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/ldap\/ldap.conf<\/pre>\n\n\n\n<p>Replace the value of the TLS_CACERT to the directory in which the OpenLDAP server CA cert copied above is stored on the OpenLDAP client.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT     \/etc\/ssl\/certs\/ca-certificates.crt\n<strong>TLS_CACERT      \/etc\/ssl\/openldap\/certs\/cacert.pem<\/strong><\/code><\/pre>\n\n\n\n<p>After that, set the read\/write access to <code>\/etc\/sssd\/<\/code> for the owner (root).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">chmod 600 -R \/etc\/sssd<\/pre>\n\n\n\n<p>Restart SSSD service<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl restart sssd<\/pre>\n\n\n\n<p>Check the status of SSSD to ensure that it is running.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">systemctl status sssd<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf sssd.service - System Security Services Daemon\n     Loaded: loaded (\/lib\/systemd\/system\/sssd.service; enabled; preset: enabled)\n     Active: active (running) since Fri 2023-07-07 20:39:33 CEST; 2s ago\n   Main PID: 4316 (sssd)\n      Tasks: 4 (limit: 2284)\n     Memory: 44.4M\n        CPU: 162ms\n     CGroup: \/system.slice\/sssd.service\n             \u251c\u25004316 \/usr\/sbin\/sssd -i --logger=files\n             \u251c\u25004317 \/usr\/libexec\/sssd\/sssd_be --domain default --uid 0 --gid 0 --logger=files\n             \u251c\u25004318 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n             \u2514\u25004319 \/usr\/libexec\/sssd\/sssd_pam --uid 0 --gid 0 --logger=files\n\nJul 07 20:39:33 bookworm systemd[1]: Starting sssd.service - System Security Services Daemon...\nJul 07 20:39:33 bookworm sssd[4316]: Starting up\nJul 07 20:39:33 bookworm sssd_be[4317]: Starting up\nJul 07 20:39:33 bookworm sssd_pam[4319]: Starting up\nJul 07 20:39:33 bookworm sssd_nss[4318]: Starting up\nJul 07 20:39:33 bookworm systemd[1]: Started sssd.service - System Security Services Daemon.\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-automatic-home-creation-for-open-ldap-users\">Configure Automatic Home Creation for OpenLDAP Users<\/h4>\n\n\n\n<p>Next configure <a aria-label=\"Pluggable Authentication Module (PAM) (opens in a new tab)\" href=\"http:\/\/www.linux-pam.org\/Linux-PAM-html\/sag-pam_mkhomedir.html\" target=\"_blank\" rel=\"noreferrer noopener\">Pluggable Authentication Module (PAM)<\/a> to automatically create user's home directory on first login.<\/p>\n\n\n\n<p>This can be done by editing the <code>\/etc\/pam.d\/common-session<\/code> configuration file as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/pam.d\/common-session<\/pre>\n\n\n\n<p>Add the line below just after the line, <code><strong>session    optional            pam_sss.so<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n...\n# since the modules above will each just jump around\nsession required pam_permit.so\n# and here are more per-package modules (the \"Additional\" block)\nsession required pam_unix.so \nsession optional pam_sss.so \n<strong>session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/strong>\nsession optional pam_systemd.so \n# end of pam-auth-update config\n<\/code><\/pre>\n\n\n\n<p>Save and quit the configuration.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-open-ldap-authentication-using-sssd\">Verify OpenLDAP Authentication using SSSD<\/h4>\n\n\n\n<p>Verify that the user is created using the <code>id<\/code> command. You should get the user and group id of the user.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">id johndoe<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)<\/pre>\n\n\n\n<p>You can now login as the LDAP user, <code>mibeyam<\/code> in this case.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>root@bookworm:~# su - johndoe\n<strong>Creating directory '\/home\/johndoe'.\n<\/strong>johndoe@bookworm:~$<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>johndoe@bookworm:~$ whoami\njohndoe\njohndoe@bookworm:~$ pwd\n\/home\/johndoe\njohndoe@bookworm:~$ <\/code><\/pre>\n\n\n\n<p>To that far, you have learnt how to configure SSSD for OpenLDAP Client Authentication on Debian 12\/11\/10\/9.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"related-tutorials\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-fedora-29\/\" target=\"_blank\">Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/configure-openldap-client-on-debian-9-stretch\/\" target=\"_blank\">Configure OpenLDAP Client on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\" target=\"_blank\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-install-freeipa-server-on-fedora-29-fedora-28-centos7\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">How to Install FreeIPA Server on Fedora 29\/Fedora 28\/CentOS 7<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to configure SSSD for OpenLDAP client authentication on Debian 12\/11\/10\/9. SSSD is an acronym for System<\/p>\n","protected":false},"author":1,"featured_media":10441,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[7127,7126,4096,4097,248,286,7128,1131,4098],"class_list":["post-4117","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-debian-12-sssd","tag-install-sssd-debian-12","tag-install-sssd-on-debian-10","tag-install-sssd-on-debian-9","tag-ldap","tag-openldap","tag-openldap-sssd-debian-12","tag-sssd","tag-sssd-openldap-client","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4117"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4117"}],"version-history":[{"count":17,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4117\/revisions"}],"predecessor-version":[{"id":18281,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4117\/revisions\/18281"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10441"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4117"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4117"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4117"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}