{"id":4922,"date":"2020-01-17T17:45:05","date_gmt":"2020-01-17T14:45:05","guid":{"rendered":"https:\/\/kifarunix.com\/?p=4922"},"modified":"2024-03-14T19:18:10","modified_gmt":"2024-03-14T16:18:10","slug":"configure-sssd-for-openldap-authentication-on-ubuntu-18-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-sssd-for-openldap-authentication-on-ubuntu-18-04\/","title":{"rendered":"Configure SSSD for OpenLDAP Authentication on Ubuntu 18.04"},"content":{"rendered":"\n

In this guide, we are going to learn how to configure SSSD for OpenLDAP Authentication on Ubuntu 18.04. SSSD<\/a> is an acronym for System Security Services Daemon. It  provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It also provides several interfaces, including NSS and PAM modules or a D-Bus interface.<\/p>\n\n\n\n

Before you can proceed, ensure that your got a running OpenLDAP server. You can follow the link below to learn how to setup OpenLDAP server on CentOS 8.<\/p>\n\n\n\n

Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n

Configuring SSSD for OpenLDAP Authentication<\/h2>\n\n\n\n

In this demo, we are going to setup SSSD on Ubuntu 18.04 desktop.<\/p>\n\n\n\n

Update your System<\/h3>\n\n\n\n
apt update<\/code><\/pre>\n\n\n\n
Install SSSD and Required Packages<\/h3>\n\n\n\n
Run the command below to install SSSD onUbuntu 18.04 and other required packages.<\/p>\n\n\n\n
apt install sssd libpam-sss libnss-sss<\/code><\/pre>\n\n\n\n
Configure SSSD on Ubuntu 18.04<\/h3>\n\n\n\n
Once the installation is done, proceed to configure SSSD for OpenLDAP authentication.<\/p>\n\n\n\n
Create SSSD configuration file (Not created by default) with the following content;<\/p>\n\n\n\n
vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n
[sssd]\nservices = nss, pam\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/cacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n
Replace the values of the highlighted lines above according to your OpenLDAP setup.<\/p>\n\n\n\n
Read more about the configuration options on man sssd.conf<\/code><\/strong>.<\/p>\n\n\n\n
Save the file and exit.<\/p>\n\n\n\n
Install OpenLDAP Server CA Certificate<\/h3>\n\n\n\n
To perform authentication, SSSD requires that the communication channel be encrypted. This means that the LDAP server must be configured to run in SSL or TLS with a valid certificate trust.<\/p>\n\n\n\n
Install the LDAP server CA certificate, under the file defined by the directive, ldap_tls_cacert<\/strong><\/code>, \/etc\/ssl\/certs\/cacert.crt<\/code><\/strong>.<\/p>\n\n\n\n
To download the CA certificate from the LDAP server, run the command below;<\/p>\n\n\n\n
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n
Copy the certificate part;<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDzzCCAregAwIBAgIUMJkYu\/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL\nBQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw\n...\n...\nJ4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq\nkqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC\nQxv7gjfE5jqdD6iQR0cohGLpaA==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n
Paste in the file, \/etc\/ssl\/certs\/cacert.crt<\/code><\/strong>.<\/p>\n\n\n\n
vim \/etc\/ssl\/certs\/cacert.crt<\/code><\/pre>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDzzCCAregAwIBAgIUMJkYu\/S+fQbyGjUOLsMoar6owfowDQYJKoZIhvcNAQEL\nBQAwdzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTmFpMRcw\n...\n...\nJ4VrJYImrnvTNiDGcrXVQhKY2amBPb6g1Mwp5DiHPplvOF63F+Uzx9NFG1DhHMTq\nkqkfQw96SLItvsAXpeosfYkH6uEG36svqAJ6rzxZcJzl3OTrUZnFX3OOsmFeHupC\nQxv7gjfE5jqdD6iQR0cohGLpaA==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n
Next, open the \/etc\/ldap\/ldap.conf<\/strong><\/code> and replace the value of TLS_CACERT<\/code><\/strong> with the path to the above certificate.<\/p>\n\n\n\n
vim \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n
...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT     \/etc\/ssl\/certs\/ca-certificates.crt\nTLS_CACERT      \/etc\/ssl\/certs\/cacert.crt<\/strong><\/code><\/pre>\n\n\n\n
Save and close the configuration file.<\/p>\n\n\n\n
After that, assign the root user read\/write access to \/etc\/sssd\/<\/code>.<\/p>\n\n\n\n
chmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\n
Restart SSSD service<\/p>\n\n\n\n
systemctl restart sssd<\/code><\/pre>\n\n\n\n
Check the status of SSSD to ensure that it is running.<\/p>\n\n\n\n
systemctl status sssd<\/code><\/pre>\n\n\n\n
\u25cf sssd.service - System Security Services Daemon\n   Loaded: loaded (\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: enabled)\n   Active: active (running) since Fri 2020-01-17 14:27:51 EAT; 6s ago\n Main PID: 3033 (sssd)\n    Tasks: 4 (limit: 2315)\n   CGroup: \/system.slice\/sssd.service\n           \u251c\u25003033 \/usr\/sbin\/sssd -i --logger=files\n           \u251c\u25003034 \/usr\/lib\/x86_64-linux-gnu\/sssd\/sssd_be --domain default --uid 0 --gid 0 --logger=files\n           \u251c\u25003035 \/usr\/lib\/x86_64-linux-gnu\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n           \u2514\u25003036 \/usr\/lib\/x86_64-linux-gnu\/sssd\/sssd_pam --uid 0 --gid 0 --logger=files\n\nJan 17 14:27:50 amos systemd[1]: Starting System Security Services Daemon...\nJan 17 14:27:51 amos sssd[3033]: Starting up\nJan 17 14:27:51 amos sssd[be[3034]: Starting up\nJan 17 14:27:51 amos sssd[3036]: Starting up\nJan 17 14:27:51 amos sssd[3035]: Starting up\nJan 17 14:27:51 amos systemd[1]: Started System Security Services Daemon.\n<\/code><\/pre>\n\n\n\n
Configure Auto-Home Directory Creation<\/h3>\n\n\n\n
To ensure that a user’s home directory is automatically created on first login, you need to configure the PAM modules (pam_mkhomedir.so<\/code>) as shown below.<\/p>\n\n\n\n
Open the \/etc\/pam.d\/common-session<\/code> configuration file and edit is ad follows;<\/p>\n\n\n\n
vim \/etc\/pam.d\/common-session<\/code><\/pre>\n\n\n\n
Add the line below just below the line, session optional pam_sss.so<\/code>.<\/p>\n\n\n\n
session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\n
...\n# The pam_umask module will set the umask according to the system default in\n# \/etc\/login.defs and user settings, solving the problem of different\n# umask settings with different shells, display managers, remote sessions etc.\n# See \"man pam_umask\".\nsession optional                        pam_umask.so\n# and here are more per-package modules (the \"Additional\" block)\nsession required        pam_unix.so\nsession optional                        pam_sss.so\nsession required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/strong>\nsession optional        pam_systemd.so\n# end of pam-auth-update config\n...\n<\/code><\/pre>\n\n\n\n
Save and exit the configuration file.<\/p>\n\n\n\n
Verify OpenLDAP authentication via SSH<\/h3>\n\n\n\n
You can now verify if you can login as an LDAP user to your Ubuntu 18.04 system via SSH.<\/p>\n\n\n\n
Note that the users used here are already added to our OpenLDAP server.<\/p>\n\n\n\n
ssh johndoe@192.168.56.159<\/code><\/pre>\n\n\n\n
johndoe@192.168.56.159's password: \nCreating directory '\/home\/johndoe'.\nWelcome to Ubuntu 18.04.2 LTS (GNU\/Linux 4.18.0-15-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n\n450 packages can be updated.\n223 updates are security updates.\n\nYour Hardware Enablement Stack (HWE) is supported until April 2023.\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\njohndoe@amos:~$ pwd\n\/home\/johndoe\n<\/code><\/pre>\n\n\n\n
Verify OpenLDAP authentication via GUI<\/h3>\n\n\n\n
In this demo, we are using the default Ubuntu 18.04 GDM display manager.<\/p>\n\n\n\n
On the login interface, click Not listed to enter your OpenLDAP username and password.<\/p>\n\n\n
\n
\"Configure<\/figure><\/div>\n\n\n
Upon successful login, your home directory will be auto-created and boom, you land on your desktop.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You can check our other tutorials on OpenLDAP by following the links below;<\/p>\n\n\n\n
Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n
Configure ownCloud OpenLDAP Authentication<\/a><\/p>\n\n\n\n
Configure OpenLDAP Host Based Authentication<\/a><\/p>\n\n\n\n
How to Create OpenLDAP Member Groups<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, we are going to learn how to configure SSSD for OpenLDAP Authentication on Ubuntu 18.04. SSSD is an acronym for System Security<\/p>\n","protected":false},"author":1,"featured_media":10441,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[4100,1131,1270,1271,1269],"class_list":["post-4922","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-install-sssd-on-ubuntu-18-04-2","tag-sssd","tag-sssd-openldap","tag-sssd-openldap-authentication","tag-sssd-ubuntu-18-04","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4922"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=4922"}],"version-history":[{"count":7,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4922\/revisions"}],"predecessor-version":[{"id":21322,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/4922\/revisions\/21322"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10441"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=4922"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=4922"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=4922"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}