{"id":5838,"date":"2020-05-08T15:11:47","date_gmt":"2020-05-08T12:11:47","guid":{"rendered":"https:\/\/kifarunix.com\/?p=5838"},"modified":"2024-03-14T20:37:01","modified_gmt":"2024-03-14T17:37:01","slug":"configure-sssd-for-ldap-authentication-on-ubuntu-20-04","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-sssd-for-ldap-authentication-on-ubuntu-20-04\/","title":{"rendered":"Configure SSSD for LDAP Authentication on Ubuntu 20.04"},"content":{"rendered":"\n

This guide will take you through how to install and configure SSSD for LDAP authentication on Ubuntu 20.04. SSSD<\/a> (System Security Services Daemon) is a system service to access remote directories and authentication mechanisms such as an LDAP directory, an Identity Management (IdM) or Active Directory (AD) domain, or a Kerberos realm.<\/p>\n\n\n\n

Configuring SSSD for LDAP Authentication on Ubuntu 20.04<\/h2>\n\n\n\n

Assuming you already have a running OpenLDAP server, proceed with this guide to learn how to install and configure SSSD for LDAP authentication.<\/p>\n\n\n\n

Run System Update<\/h3>\n\n\n\n

Ensure that your system package cache is up-to-date.<\/p>\n\n\n\n

apt update<\/code><\/pre>\n\n\n\n
Install SSSD on Ubuntu 20.04<\/h3>\n\n\n\n
To install SSSD and other required SSSD tools on Ubuntu 20.04, run the command below;<\/p>\n\n\n\n
apt install sssd libpam-sss libnss-sss<\/code><\/pre>\n\n\n\n
Configure SSSD\u00a0for OpenLDAP Authentication<\/h3>\n\n\n\n
Create SSSD configuration file<\/h4>\n\n\n\n
SSSD do not ship with any configuration file by default. As such, you need to create your configuration file that defines your LDAP authentication specifics.<\/p>\n\n\n\n
Below is our sample configuration options;<\/p>\n\n\n\n
cat \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n
\n[sssd]\nservices = nss, pam\nconfig_file_version = 2\ndomains = default\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/ssl\/certs\/ldapcacert.crt\nldap_tls_cacertdir = \/etc\/ssl\/certs\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n
Check the highlighted lines above and replace their values appropriately.<\/p>\n\n\n\n
For a comprehensive description of options used above, refer to man sssd.conf<\/code><\/strong> and man sssd-ldap<\/strong><\/code>.<\/p>\n\n\n\n
Once you are done with your configurations, save and exit the file.<\/p>\n\n\n\n
Install OpenLDAP Server CA Certificate on Ubuntu 20.04 LDAP client<\/h4>\n\n\n\n
SSSD authentication can only work over an encrypted communication channel. Therefore, your OpenLDAP server must be configured SSL\/TLS.<\/p>\n\n\n\n
If you have done this already, download the CA certificate from the LDAP server to the LDAP client by executing the command below;<\/p>\n\n\n\n
openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n
if you are downloading the certificates from an OpenLDAP server listening on STARTTLS (port 389\/{tcp,udp}), use the command below instead;<\/p>\n\n\n\n
openssl s_client -connect ldapmaster.kifarunix-demo.com:389 -starttls ldap -showcerts < \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n
Copy the certificate part;<\/p>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\nBQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww\nGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYwJAYDVQQDDB1sZGFwbWFzdGVy\n...\n...\nExJaMa6cJkIFmepJ6wGvk33DiLRZrAKT2\/11yswYm16mdpUynmx6pZvZizjxkq+c\nhegnowyEG4db\/NktY44v2ryIQdEclnKmhk23vmhgZxl1IUgev2tc\/\/JWPE9dXuP8\nUy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n
As per our SSSD configuration, the LDAP CA certificate file is stored as \/etc\/ssl\/certs\/ldapcacert.crt<\/code><\/strong> on the client. Note<\/strong> that the location of the CA cert file might be different for your case.<\/p>\n\n\n\n
Therefore, copy the certificate above and place it in this file;<\/p>\n\n\n\n
vim \/etc\/ssl\/certs\/ldapcacert.crt<\/code><\/pre>\n\n\n\n
-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\nBQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww\nGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMSYwJAYDVQQDDB1sZGFwbWFzdGVy\n...\n...\nExJaMa6cJkIFmepJ6wGvk33DiLRZrAKT2\/11yswYm16mdpUynmx6pZvZizjxkq+c\nhegnowyEG4db\/NktY44v2ryIQdEclnKmhk23vmhgZxl1IUgev2tc\/\/JWPE9dXuP8\nUy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n
Verify the validity of the certificate;<\/p>\n\n\n\n
openssl s_client -connect ldapmaster.kifarunix-demo.com:389 -CAfile \/etc\/ssl\/certs\/ldapcacert.crt<\/code><\/pre>\n\n\n\n
If you get, Verification: OK<\/strong><\/code> or Verify return code: 0 (ok)<\/strong><\/code> on the command output, then you are all set.<\/p>\n\n\n\n
Next, open the \/etc\/ldap\/ldap.conf<\/strong><\/code> and replace the value of TLS_CACERT<\/code><\/strong> with the path to the CA certificate created above.<\/p>\n\n\n\n
vim \/etc\/ldap\/ldap.conf<\/code><\/pre>\n\n\n\n
...\n# TLS certificates (needed for GnuTLS)\n#TLS_CACERT     \/etc\/ssl\/certs\/ca-certificates.crt\nTLS_CACERT      \/etc\/ssl\/certs\/ldapcacert.crt<\/strong><\/code><\/pre>\n\n\n\n
Save and close the configuration file.<\/p>\n\n\n\n
Set Proper Permissions on SSSD configurations<\/h4>\n\n\n\n
After that, assign the root user read\/write access to \/etc\/sssd\/<\/code>.<\/p>\n\n\n\n
chmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\n
Restart SSSD service<\/p>\n\n\n\n
systemctl restart sssd<\/code><\/pre>\n\n\n\n
Check the status of SSSD to ensure that it is running.<\/p>\n\n\n\n
systemctl status sssd<\/code><\/pre>\n\n\n\n
\u25cf sssd.service - System Security Services Daemon\n     Loaded: loaded (\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: enabled)\n     Active: active (running) since Fri 2020-05-08 11:38:21 EAT; 6s ago\n   Main PID: 7004 (sssd)\n      Tasks: 4 (limit: 2319)\n     Memory: 34.0M\n     CGroup: \/system.slice\/sssd.service\n             \u251c\u25007004 \/usr\/sbin\/sssd -i --logger=files\n             \u251c\u25007020 \/usr\/libexec\/sssd\/sssd_be --domain default --uid 0 --gid 0 --logger=files\n             \u251c\u25007021 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n             \u2514\u25007022 \/usr\/libexec\/sssd\/sssd_pam --uid 0 --gid 0 --logger=files\n\nMay 08 11:38:20 koromicha systemd[1]: Starting System Security Services Daemon...\nMay 08 11:38:20 koromicha sssd[7004]: Starting up\nMay 08 11:38:21 koromicha sssd[be[7020]: Starting up\nMay 08 11:38:21 koromicha sssd[7021]: Starting up\nMay 08 11:38:21 koromicha sssd[7022]: Starting up\nMay 08 11:38:21 koromicha systemd[1]: Started System Security Services Daemon.\n<\/code><\/pre>\n\n\n\n
Enable SSSD to run on system boot;<\/p>\n\n\n\n
systemctl enable sssd<\/code><\/pre>\n\n\n\n
Configure Auto-Home Directory Creation<\/h3>\n\n\n\n
To enable automatic creation of user\u2019s home directory on first login, you need to configure the PAM modules (pam_mkhomedir.so<\/code>) as shown below.<\/p>\n\n\n\n
Open the \/etc\/pam.d\/common-session<\/code> configuration file and edit is ad follows;<\/p>\n\n\n\n
vim \/etc\/pam.d\/common-session<\/code><\/pre>\n\n\n\n
Add the line below just below the line, session optional pam_sss.so<\/code>.<\/p>\n\n\n\n
session required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/code><\/pre>\n\n\n\n
...\n# The pam_umask module will set the umask according to the system default in\n# \/etc\/login.defs and user settings, solving the problem of different\n# umask settings with different shells, display managers, remote sessions etc.\n# See \"man pam_umask\".\nsession optional                        pam_umask.so\n# and here are more per-package modules (the \"Additional\" block)\nsession required        pam_unix.so\nsession optional                        pam_sss.so\nsession required        pam_mkhomedir.so skel=\/etc\/skel\/ umask=0022<\/strong>\nsession optional        pam_systemd.so\n# end of pam-auth-update config\n...\n<\/code><\/pre>\n\n\n\n
Save and exit the configuration file.<\/p>\n\n\n\n
Verify SSSD OpenLDAP authentication<\/h3>\n\n\n\n
The installation and configuration of SSSD is done. To verify that you can login, try to authenticate against your LDAP server.<\/p>\n\n\n\n
In this guide, we have two users, janedoe<\/code> and johndoe<\/code>, created on our OpenLDAP Server for demo purposes.<\/p>\n\n\n\n
ldapsearch -H ldapi:\/\/\/ -Y EXTERNAL -b \"ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\" dn -LLL -Q<\/code><\/pre>\n\n\n\n
The command above is ran on OpenLDAP server and the output is;<\/p>\n\n\n\n
dn: ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=janedoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com\n\ndn: uid=johndoe,ou=people,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\n
On the Ubuntu 20.04 ldap client,  these information about the users above should now be printable.<\/p>\n\n\n\n
root@ubuntu20:~# id johndoe<\/strong><\/code><\/pre>\n\n\n\n
uid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)<\/code><\/pre>\n\n\n\n
root@ubuntu20:~# id janedoe<\/strong><\/code><\/pre>\n\n\n\n
uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)<\/code><\/pre>\n\n\n\n
To demo the SSSD LDAP authentication, we will use both SSH and GUI based authentication;<\/p>\n\n\n\n
Verify SSH Authentication via OpenLDAP SSSD<\/h4>\n\n\n\n
ssh johndoe@ubuntu20<\/code><\/pre>\n\n\n\n
\nThe authenticity of host 'ubuntu20 (192.168.58.19)' can't be established.\nECDSA key fingerprint is SHA256:gN94vPFvyZ3Rdeb\/+7R+0QJy9S4MdWmgJyEShIG9YgE.\nAre you sure you want to continue connecting (yes\/no)? yes\nWarning: Permanently added 'ubuntu20' (ECDSA) to the list of known hosts.\njohndoe@ubuntu20's password: \nCreating directory '\/home\/johndoe'.\nWelcome to Ubuntu 20.04 LTS (GNU\/Linux 5.4.0-29-generic x86_64)\n\n * Documentation:  https:\/\/help.ubuntu.com\n * Management:     https:\/\/landscape.canonical.com\n * Support:        https:\/\/ubuntu.com\/advantage\n\n * Ubuntu 20.04 LTS is out, raising the bar on performance, security,\n   and optimisation for Intel, AMD, Nvidia, ARM64 and Z15 as well as\n   AWS, Azure and Google Cloud.\n\n     https:\/\/ubuntu.com\/blog\/ubuntu-20-04-lts-arrives\n\n\n13 updates can be installed immediately.\n9 of these updates are security updates.\nTo see these additional updates run: apt list --upgradable\n\n\nThe programs included with the Ubuntu system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nUbuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by\napplicable law.\n\njohndoe@ubuntu20:~$\n<\/code><\/pre>\n\n\n\n
Verify GUI authentication via OpenLDAP SSSD<\/h4>\n\n\n\n
Reboot your Ubuntu 20.04 desktop after SSSD setup and and verify authentication.<\/p>\n\n\n\n
Once it boots, on the GDM login interface, click Not listed<\/strong> to enter your OpenLDAP username and password.<\/p>\n\n\n\n
We logged in on GUI as a different LDAP user, janedoe<\/strong>.<\/p>\n\n\n
\n
\"Configure<\/figure><\/div>\n\n\n
Upon successful login, you land on Ubuntu 20.04 desktop.<\/p>\n\n\n\n
\"\n\"<\/figure>\n\n\n\n
And there you go. You have successfully installed and configured SSSD for LDAP Authentication on Ubuntu 20.04.<\/p>\n\n\n\n
Related Tutorials<\/h3>\n\n\n\n
Configure SSSD for OpenLDAP Authentication on Ubuntu 18.04<\/a><\/p>\n\n\n\n
Install phpLDAPadmin on CentOS 8<\/a><\/p>\n\n\n\n
Configure ownCloud OpenLDAP Authentication<\/a><\/p>\n\n\n\n
Configure OpenLDAP Host Based Authentication<\/a><\/p>\n\n\n\n
How to Create OpenLDAP Member Groups<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This guide will take you through how to install and configure SSSD for LDAP authentication on Ubuntu 20.04. SSSD (System Security Services Daemon) is a<\/p>\n","protected":false},"author":3,"featured_media":10441,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1585,1583,1584,1270,1271],"class_list":["post-5838","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-configure-sssd-on-ubuntu-20-04","tag-install-sssd-ubuntu-20-04","tag-setup-sssd-on-ubuntu-20-04","tag-sssd-openldap","tag-sssd-openldap-authentication","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5838"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=5838"}],"version-history":[{"count":15,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5838\/revisions"}],"predecessor-version":[{"id":21391,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/5838\/revisions\/21391"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10441"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=5838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=5838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=5838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}