In this guide, we are going to demonstrate how to configure SSSD for OpenLDAP Authentication on CentOS 8. In our previous guides, we have covered how to install and setup OpenLDAP on CentOS 8 as well how to configure SUDO via OpenLDAP. See the links below;<\/p>\n\n\n\n
Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n How to Configure SUDO via OpenLDAP Server<\/a><\/p>\n\n\n\n SSSD<\/a> is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.<\/p>\n\n\n\n In this demo, we are using OpenLDAP as our directory as well identity management server.<\/p>\n\n\n\n To update your system packages, execute the command below;<\/p>\n\n\n\n Once the system update is done, proceed to install SSSD and other SSSD tools.<\/p>\n\n\n\n Next, configure SSSD to allow authentication to your local system via OpenLDAP.<\/p>\n\n\n\n SSSD doesn’t usually ship with any default configuration file. As such you need to create and configure it manually.<\/p>\n\n\n\n Paste the content below into sssd.conf<\/strong> file. Be sure to make the relevant substitutions replacing your domain components appropriately.<\/p>\n\n\n\n Save and quit the configuration files. Be sure to make relevant changes accordingly.<\/p>\n\n\n\n Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;<\/p>\n\n\n\n If you are not using OpenLDAP for sudo rules<\/strong>, you can remove these configurations.<\/p>\n\n\n\n Next, download the OpenLDAP server CA certificate and store it on the file specified by the Copy the certificate and paste it on the Next, open the Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.<\/p>\n\n\n\n Save and quit the configuration file.<\/p>\n\n\n\n Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.<\/p>\n\n\n\n In previous versions of CentOS, you would use tools like Authselect command when used to create an SSSD profile, will basically modify these files;<\/p>\n\n\n\n Therefore, make a back up of these files just in case things don’t work out. Once you have backed up these files, remove them.<\/p>\n\n\n\n Create an SSSD profile. This command will succeed only of you have removed the files above.<\/p>\n\n\n\n Otherwise, you can overwrite the files by adding the Next, for the system to fetch sudo rights from SSSD\/OpenLDAP, edit the You can simply echo the line into the configuration file as shown below;<\/p>\n\n\n\n To enable automatic home directory creation for user upon first login, you need to install the Start and enable oddjobd to run on system boot.<\/p>\n\n\n\n Load the Restart oddjobd.<\/p>\n\n\n\n Before you can start SSSD, you need to check configuration for any typos or permissions;<\/p>\n\n\n\n As per the check output, set the read\/write access to The configuration is now done. Start and enable SSSD to run on system boot.<\/p>\n\n\n\n Check the status.<\/p>\n\n\n\n Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on setting up OpenLDAP server on CentOS 8<\/a>), verify that you can login.<\/p>\n\n\n\n First, confirm that you can see your LDAP username on your system using You should get an entry similar to;<\/p>\n\n\n\n If you cant get the above output, be sure to check syslog logs as well as sssd logs. Otherwise, you can restart sssd;<\/p>\n\n\n\n Check user again using If all is well, Perform a local ssh authentication to test your LDAP authentication.<\/p>\n\n\n\n First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.<\/p>\n\n\n\n Next, on the client, try the sudo!<\/p>\n\n\n\n If you have any thought about this guide, don’t hesitate to drop in comments section.<\/p>\n\n\n\n How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n\n\n\n Configure OpenLDAP Client on Debian 9 Stretch<\/a><\/p>\n\n\n\nConfiguring SSSD for OpenLDAP Authentication on CentOS 8<\/h2>\n\n\n\n
Run system update<\/h3>\n\n\n\n
dnf update<\/code><\/pre>\n\n\n\nInstall SSSD on CentOS 8<\/h3>\n\n\n\n
dnf install sssd sssd-tools<\/code><\/pre>\n\n\n\nConfiguring SSSD for OpenLDAP Authentication on CentOS 8<\/h3>\n\n\n\n
vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n\n[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/pki\/tls\/cacert.crt\nldap_tls_cacertdir = \/etc\/pki\/tls\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n\nservices = nss, pam, sudo<\/strong>\n...\n\n[sudo]<\/strong>\n...\n\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong>\n<\/code><\/pre>\n\n\n\nldap_tls_cacert<\/code> directive on the sssd.conf file above.<\/p>\n\n\n\nopenssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < \/dev\/null | openssl x509 -text<\/code><\/pre>\n\n\n\n\/etc\/pki\/tls\/cacert.crt<\/code><\/strong>.<\/p>\n\n\n\nvim \/etc\/pki\/tls\/cacert.crt<\/code><\/pre>\n\n\n\n-----BEGIN CERTIFICATE-----\nMIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL\nBQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h\n...\n...\n5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E\neixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K\/K9qEaIZhJiAES1Qy\n8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI\/XQNRg==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n\/etc\/openldap\/ldap.conf<\/code> configuration file and configure it as follows;<\/p>\n\n\n\nvim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\nBASE dc=ldapmaster,dc=kifarunix-demo,dc=com\nURI ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nSUDOERS_BASE ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\n...\n...\nTLS_CACERT \/etc\/pki\/tls\/cacert.crt\n...<\/code><\/pre>\n\n\n\nConfigure Name Service Switch and PAM on CentOS 8<\/h3>\n\n\n\n
authconfig<\/strong><\/code> but this has since been replaced by tools like authselect<\/strong><\/code>.<\/p>\n\n\n\nAuthselect<\/code> is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.<\/p>\n\n\n\nConfigure SSSD Profile<\/h4>\n\n\n\n
\n
authselect select sssd<\/code><\/pre>\n\n\n\n--force<\/code> option.<\/p>\n\n\n\nauthselect select sssd --force<\/code><\/pre>\n\n\n\nBackup stored at \/var\/lib\/authselect\/backups\/2019-12-08-19-05-16.yMO4TA\nProfile \"sssd\" was selected.\nThe following nsswitch maps are overwritten by the profile:\n- passwd\n- group\n- netgroup\n- automount\n- services\n\nMake sure that SSSD service is configured and enabled. See SSSD documentation for more information.<\/code><\/pre>\n\n\n\n\/etc\/nsswitch.conf<\/code> to include the line below.<\/p>\n\n\n\nsudoers: files sss<\/code><\/pre>\n\n\n\necho \"sudoers: files sss\" >> \/etc\/nsswitch.conf<\/code><\/pre>\n\n\n\nConfigure Automatic Home Directory Creation<\/h3>\n\n\n\n
oddjob-mkhomedir<\/strong><\/code>, which provides the pam_oddjob_mkhomedir<\/strong><\/code> module to create a home directory for a user at login-time.<\/p>\n\n\n\ndnf install oddjob-mkhomedir<\/code><\/pre>\n\n\n\nsystemctl enable --now oddjobd<\/code><\/pre>\n\n\n\npam_oddjob_mkhomedir<\/strong><\/code> module in PAM auth file \/etc\/pam.d\/system-auth<\/code> to enable auto home directory creation.<\/p>\n\n\n\necho \"session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel\/ umask=0022\" >> \/etc\/pam.d\/system-auth<\/code><\/pre>\n\n\n\nsystemctl restart oddjobd<\/code><\/pre>\n\n\n\nRunning SSSD<\/h3>\n\n\n\n
sssctl config-check<\/code><\/pre>\n\n\n\nFile ownership and permissions check failed. Expected root:root and 0600.<\/code><\/pre>\n\n\n\n\/etc\/sssd\/<\/code> for the owner (root).<\/p>\n\n\n\nchown -R root: \/etc\/sssd<\/code><\/pre>\n\n\n\nchmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\nsystemctl enable --now sssd<\/code><\/pre>\n\n\n\nsystemctl status sssd<\/code><\/pre>\n\n\n\n\n\u25cf sssd.service - System Security Services Daemon\n Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: enabled)\n Active: active (running) since Sun 2019-12-08 16:57:07 EAT; 42min ago\n Main PID: 779 (sssd)\n Tasks: 3 (limit: 5073)\n Memory: 60.6M\n CGroup: \/system.slice\/sssd.service\n \u251c\u2500779 \/usr\/sbin\/sssd -i --logger=files\n \u251c\u2500800 \/usr\/libexec\/sssd\/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files\n \u2514\u2500801 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n<\/code><\/pre>\n\n\n\nTest OpenLDAP Authentication via SSSD<\/h3>\n\n\n\n
id<\/code> command.<\/p>\n\n\n\nid johndoe<\/code><\/pre>\n\n\n\nuid=1002(johndoe) gid=1002(johndoe) groups=1002(johndoe)<\/code><\/pre>\n\n\n\nsystemctl restart sssd<\/code><\/pre>\n\n\n\nid<\/code> command.<\/p>\n\n\n\nssh -l johndoe localhost<\/code><\/pre>\n\n\n\nThe authenticity of host 'localhost (::1)' can't be established.\nECDSA key fingerprint is SHA256:iMRNJQa8gU0t6fHx6nzmAU+ZygA\/3J2BC6zzwzqfY4o.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\njohndoe@localhost's password: \n[johndoe@centos8 ~]$ pwd\n\/home\/johndoe<\/code><\/pre>\n\n\n\nVerify that you got sudo rights.<\/h3>\n\n\n\n
export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\nldapsearch -b \"$SUDOERS_BASE\" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x<\/code><\/pre>\n\n\n\n\n...\n# sudo, SUDOers, ldapmaster.kifarunix-demo.com\ndn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: sudo\nsudoUser: johndoe\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: ALL\n...\n<\/code><\/pre>\n\n\n\n[johndoe@centos8 ~]$ sudo su -<\/code><\/pre>\n\n\n\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for johndoe: \nLast login: Sun Dec 8 22:49:47 EAT 2019 from 192.168.56.1 on pts\/0\n[root@centos8 ~]#\n<\/code><\/pre>\n\n\n\nOther Related Tutorials<\/h3>\n\n\n\n