{"id":5434,"date":"2020-04-13T16:51:44","date_gmt":"2020-04-13T13:51:44","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5434"},"modified":"2021-09-17T22:17:18","modified_gmt":"2021-09-17T19:17:18","slug":"configure-openldap-sssd-client-on-centos-6-7","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-openldap-sssd-client-on-centos-6-7\/","title":{"rendered":"Configure OpenLDAP SSSD client on CentOS 6\/7"},"content":{"rendered":"\n<p>Do you have some old CentOS system, CentOS 7 or CentOS 6 and want to enable OpenLDAP authentication? Well, follow through this guide to learn how configure OpenLDAP <a href=\"https:\/\/docs.pagure.org\/SSSD.sssd\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSSD<\/a> client on CentOS 6\/7. Well, as you might already know, SSSD offers quite a number of benefits including;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Reduced load on identity and authentication servers through caching of authentication information.<\/li><li>Offers offline authentication through the use of cached user identities and credentials thus enabling end users to authenticate to systems even if the remote server or the SSSD client are offline.<\/li><li>Improves consistency of the authentication process through a single user central user account<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Configure OpenLDAP SSSD client on CentOS 6\/7<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Setup OpenLDAP Server with TLS\/SSL Support<\/h3>\n\n\n\n<p>Well, you can&#8217;t be setting up SSSD client for OpenLDAP authentication without a running OpenLDAP server. Want to run OpenLDAP server on a CentOS 8 system? Follow the link below to setup one;<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<p>Another thing to note is that, <strong>SSSD&nbsp;does not&nbsp;support authentication over an unencrypted channel<\/strong>.<\/p>\n\n\n\n<p>To configure OpenLDAP server with SSL\/TLS support, you can update the OpenLDAP Server TLS certificates attributes as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vi enable-tls.ldif<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\ndn: cn=config\nchangetype: modify\nadd: olcTLSCACertificateFile\nolcTLSCACertificateFile: \/etc\/pki\/tls\/cacert.pem\n-\nadd: olcTLSCertificateKeyFile\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\n-\nadd: olcTLSCertificateFile\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt\n<\/code><\/pre>\n\n\n\n<p><strong>Replace the paths to the CA, Server Certificate and the key accordingly.<\/strong><\/p>\n\n\n\n<p>You can the update OpenLDAP database as follows;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapadd -Y EXTERNAL -H ldapi:\/\/\/ -f add-tls.ldif<\/code><\/pre>\n\n\n\n<p>You can confirm this by running;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>slapcat -b \"cn=config\" | grep olcTLS<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>olcTLSCACertificateFile: \/etc\/pki\/tls\/cacert.pem\nolcTLSCertificateKeyFile: \/etc\/pki\/tls\/ldapserver.key\nolcTLSCertificateFile: \/etc\/pki\/tls\/ldapserver.crt<\/code><\/pre>\n\n\n\n<p>Change the location of the CA certificate on&nbsp;<code>\/etc\/openldap\/ldap.conf<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n#TLS_CACERT     \/etc\/pki\/tls\/cert.pem\n<strong>TLS_CACERT     \/etc\/pki\/tls\/cacert.pem<\/strong><\/code><\/pre>\n\n\n\n<p><strong>You should also install the same CA certificate on all of your client machines.<\/strong><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install SSSD on CentOS 6\/CentOS 7<\/h3>\n\n\n\n<p>The install SSSD and other SSSD userspace tools for manipulating users, groups, and nested groups, run the command below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>yum install sssd sssd-tools<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Configure SSSD for OpenLDAP Authentication<\/h3>\n\n\n\n<p>Once the installation completes, the next step is to configure SSSD for OpenLDAP authentication on CentOS 6\/CentOS 7.<\/p>\n\n\n\n<p>By default, SSSD doesn&#8217;t create a configuration file. As such, you need to create it and define you authentication parameter options.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n<p>Setup you SSSD LDAP authentication parameters such that it may look like in below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n[sssd]\nservices = nss, pam\nconfig_file_version = 2\ndomains = default\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/openldap\/certs\/cacert.pem\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n<p>Set the appropriate the values, at least, for the following parameters;<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><code>ldap_search_base<\/code><\/li><li><code>ldap_uri<\/code><\/li><li><code>ldap_default_bind_dn<\/code><\/li><li><code>ldap_default_authtok<\/code><\/li><li><code>ldap_tls_cacert<\/code><\/li><li><code>ldap_access_filter<\/code><\/li><\/ul>\n\n\n\n<p>Download the CA certificate of the OpenLDAP server by running the command below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>true | openssl s_client -connect ldapmaster.kifarunix-demo.com:636 2&gt;\/dev\/null | openssl x509<\/code><\/pre>\n\n\n\n<p>Copy the certificate and store it on the specified file by the value of the <code>ldap_tls_cacert<\/code> parameter, <code><strong>\/etc\/openldap\/certs\/cacert.pem<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/openldap\/certs\/cacert.pem<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n-----BEGIN CERTIFICATE-----\nMIIDPDCCAiSgAwIBAgIULKGcNBKQU9LqklS27aLVr5NFgoQwDQYJKoZIhvcNAQEL\nBQAwHzEdMBsGA1UEAwwUKi5raWZhcnVuaXgtZGVtby5jb20wHhcNMjAwNDEzMTAx\n...\nsLwoxITLon23PB1Twc6heMFh1hkug3JXbtr5AJglU8JdGNtXM6e3ct+cAf2F\/hRR\nHGs85jrn634RNXMPWZ8lqChr1QLKlDsOz89tTQ4zvDBqQPweo8de2B\/ybTIUJu0o\nOUyCrLx8BK44vjEz0jvpOA==\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n<p>Also, on the <code><strong>\/etc\/openldap\/ldap.conf<\/strong><\/code> configuration, specify the path to CA certificates as defined by the value of <code>ldap_tls_cacertdir<\/code> parameter.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>...\n<strong>TLS_CACERT \/etc\/openldap\/certs\/cacert.pem<\/strong><\/code><\/pre>\n\n\n\n<p>Verify the CA certificate;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -CAfile <strong>\/etc\/openldap\/certs\/cacert.pem<\/strong><\/code><\/pre>\n\n\n\n<p>If the you get the, <strong>Verify return code: 0 (ok)<\/strong>&nbsp;status, then the certificate is fine.<\/p>\n\n\n\n<p>Set the proper ownership and permissions on SSSD configuration file.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R root:root \/etc\/sssd\/\nchmod -R 600 \/etc\/sssd\/<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Integrate NSS and PAM with SSSD on CentOS 7\/CentOS 6<\/h3>\n\n\n\n<p>Update the NSS and PAM to use SSSD to manage authentication resources. This can be achieved using the&nbsp;<code><strong>authconfig<\/strong><\/code>&nbsp;utility<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Automatic Home Directory Creation<\/h4>\n\n\n\n<p>Install the&nbsp;<code><strong>oddjob-mkhomedir<\/strong><\/code>, which provides the&nbsp;<code><strong>pam_oddjob_mkhomedir<\/strong><\/code>&nbsp;module to create a home directory for a user at login-time.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>yum install oddjob-mkhomedir<\/code><\/pre>\n\n\n\n<p>Load the&nbsp;<code><strong>pam_oddjob_mkhomedir<\/strong><\/code>&nbsp;module in PAM auth file&nbsp;<code>\/etc\/pam.d\/system-auth<\/code>&nbsp;to enable auto home directory creation.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel\/ umask=0022\" &gt;&gt; \/etc\/pam.d\/system-auth<\/code><\/pre>\n\n\n\n<p>Start and enable oddjobd to run on system boot.<\/p>\n\n\n\n<p>On CentOS 7;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now oddjobd<\/code><\/pre>\n\n\n\n<p>On CentOS 6;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>service messagebus start\nservice oddjobd start<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chkconfig messagebus on\nchkconfig oddjobd on<\/code><\/pre>\n\n\n\n<p>Next, update the NSS and PAM configurations.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>authconfig --enablesssd --enablesssdauth --enablemkhomedir --update<\/code><\/pre>\n\n\n\n<p>These command updates the <code>\/etc\/nsswitch.conf<\/code> and <code>\/etc\/pam.d\/system-auth<\/code> and <code>\/etc\/pam.d\/password-auth<\/code> files with relevant PAM modules for SSSD.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Running SSSD on CentOS 6\/CentOS 7<\/h3>\n\n\n\n<p>The configuration is now done. Start and enable SSSD to run on system boot.<\/p>\n\n\n\n<p>On CentOS 7<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now sssd<\/code><\/pre>\n\n\n\n<p>On CentOS 6;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>service sssd start\nchkconfig sssd on<\/code><\/pre>\n\n\n\n<p>Check the status.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status sssd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf sssd.service - System Security Services Daemon\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: disabled)\n   Active: active (running) since Mon 2020-04-13 16:31:30 EAT; 3s ago\n Main PID: 10472 (sssd)\n   CGroup: \/system.slice\/sssd.service\n           \u251c\u250010472 \/usr\/sbin\/sssd -i --logger=files\n           \u251c\u250010473 \/usr\/libexec\/sssd\/sssd_be --domain default --uid 0 --gid 0 --logger=files\n           \u251c\u250010474 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n           \u2514\u250010475 \/usr\/libexec\/sssd\/sssd_pam --uid 0 --gid 0 --logger=files\n\nApr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Stopped System Security Services Daemon.\nApr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Starting System Security Services Daemon...\nApr 13 16:31:30 centos7.kifarunix-demo.com sssd[10472]: Starting up\nApr 13 16:31:30 centos7.kifarunix-demo.com sssd[be[default]][10473]: Starting up\nApr 13 16:31:30 centos7.kifarunix-demo.com sssd[nss][10474]: Starting up\nApr 13 16:31:30 centos7.kifarunix-demo.com sssd[pam][10475]: Starting up\nApr 13 16:31:30 centos7.kifarunix-demo.com systemd[1]: Started System Security Services Daemon.\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>service sssd status<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sssd (pid 2913) is running\u2026<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Verify OpenLDAP Authentication via SSSD<\/h3>\n\n\n\n<p>In our OpenLDAP server, we have created a few user entries;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" uid -LLL -Q<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\n<strong>dn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nuid: janedoe\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\nuid: johndoe<\/strong><\/code><\/pre>\n\n\n\n<p>On either CentOS 7 or CentOS 6, depending on the LDAP filter used, you should now have users on the system. Use id command to verify this.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@centos6 ~]# <strong>id janedoe<\/strong>\n<strong>uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@centos7 ~]# <strong>id johndoe\nuid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)<\/strong>\n&#91;root@centos7 ~]#<\/code><\/pre>\n\n\n\n<p>Verify auto-home directory creation.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@centos6 ~]# <strong>ssh -l janedoe localhost<\/strong>\njanedoe@localhost's password:\n<strong>Creating home directory for janedoe.<\/strong>\nLast login: Mon Apr 13 16:24:36 2020\n&#91;janedoe@centos6 ~]$ pwd\n<strong>\/home\/janedoe<\/strong><\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;root@centos7 ~]# <strong>ssh -l johndoe localhost<\/strong>\njohndoe@localhost's password:\n<strong>Creating home directory for johndoe.<\/strong>\n&#91;johndoe@centos7 ~]$ pwd\n\/home\/johndoe<\/code><\/pre>\n\n\n\n<p>You have successfully authenticated an OpenLDAP user via SSSD on both CentOS 7 and CentOS 6.<\/p>\n\n\n\n<p>That brings us to the end of our guide on how to install and configure OpenLDAP SSSD client on CentOS 6\/7<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Related Tutorials<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-setup-freeipa-server-on-centos-8\/\" target=\"_blank\">Install and Setup FreeIPA Server on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openldap-master-slave-replication-on-centos-8\/\" target=\"_blank\">Setup OpenLDAP Master-Slave Replication on CentOS 8<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-phpldapadmin-on-centos-8\/\" target=\"_blank\">Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/\" target=\"_blank\" rel=\"noreferrer noopener\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Do you have some old CentOS system, CentOS 7 or CentOS 6 and want to enable OpenLDAP authentication? Well, follow through this guide to learn<\/p>\n","protected":false},"author":1,"featured_media":10441,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[285,121,1099],"tags":[1423,88,1426,1425,1422,1424],"class_list":["post-5434","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-directory-server","category-howtos","category-openldap","tag-centos-6","tag-centos-7","tag-centos-7-sssd","tag-configure-sssd-centos-6","tag-openldap-sssd","tag-openldap-sssd-on-centos-6","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5434"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5434"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5434\/revisions"}],"predecessor-version":[{"id":10452,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5434\/revisions\/10452"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10441"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}