{"id":6830,"date":"2020-08-27T22:35:12","date_gmt":"2020-08-27T19:35:12","guid":{"rendered":"https:\/\/kifarunix.com\/?p=6830"},"modified":"2024-03-14T22:26:19","modified_gmt":"2024-03-14T19:26:19","slug":"install-and-configure-sssd-for-openldap-authentication-on-fedora-32-31-30","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/install-and-configure-sssd-for-openldap-authentication-on-fedora-32-31-30\/","title":{"rendered":"Install and Configure SSSD for OpenLDAP Authentication on Fedora 32\/31\/30"},"content":{"rendered":"\n<p>In tutorial, you will learn how to install and configure SSSD for OpenLDAP Authentication on Fedora 32\/31\/30. <a href=\"https:\/\/sssd.io\/\" target=\"_blank\" rel=\"noreferrer noopener\">SSSD<\/a> is an acronym for System Security Services Daemon (SSSD). <em>&#8220;The primary function of SSSD is to provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It provides several interfaces, including NSS and PAM modules or a D-Bus interface&#8221;<\/em>.<\/p>\n\n\n\n<p>Benefits of using SSSD for remote identity and authentication include;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduced load on identity and authentication servers<\/strong>: Once the SSSD has contacted the identity and authentication server, it caches the information and hence, subsequent request of this information is drawn from the cache, hence reducing the load on the backend servers.<\/li>\n\n\n\n<li><strong>Offline authentication<\/strong>: SSSD can be configured to keep a cache of user identities and credentials for a specified period of time. This enables users to authenticate to resources even if the remote server or the SSSD client are offline.<\/li>\n\n\n\n<li><strong>A single user account:<\/strong> SSSD credentials and account information caching invalidates the need to maintain both a central account and a local user account for offline authentication.<\/li>\n<\/ul>\n\n\n\n<p>As we continue with this guide, we assume that you already have an OpenLDAP server up and running. If you, follow the link below to install and configure OpenLDAP server on CentOS 8.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-setup-openldap-on-centos-8\/\" target=\"_blank\">Install and Setup OpenLDAP on CentOS 8<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"install-and-configure-sssd-fedora-32-31-30\"><a href=\"#install-and-configure-sssd-fedora-32-31-30\">Install SSSD for OpenLDAP Authentication on Fedora<\/a><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"system-update\"><a href=\"#system-update\">Run System Update<\/a><\/h3>\n\n\n\n<p>Before you can proceed, ensure that your system packages are up-to-date.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf update<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-sssd-on-fedora-32-31-30\"><a href=\"#install-sssd-on-fedora-32-31-30\">Install SSSD on Fedora 32\/31\/30<\/a><\/h3>\n\n\n\n<p>Run the command below to install SSSD and other SSSD tools on Fedora 32\/31\/30. (this might already be installed by default).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install sssd sssd-tools<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-sssd-for-ldap-authentication\"><a href=\"#configure-sssd-for-ldap-authentication\">Configure SSSD for OpenLDAP Authentication<\/a><\/h3>\n\n\n\n<p>Once the install of SSSD and its tools is done, proceed to configure it for your OpenLDAP authentication.<\/p>\n\n\n\n<p>Note that, by default, SSSD does not ship with a configuration file. As such, you need to create an SSSD configuration (<code><strong>sssd.conf,<\/strong><\/code> by default) file under the configuration directory, <code><strong>\/etc\/sssd<\/strong><\/code> to define your OpenLDAP authentication settings.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/sssd\/sssd.conf<\/code><\/pre>\n\n\n\n<p>Below is our sample SSSD configuration details. Be sure to make the relevant changes in the configurations below to reflect your OpenLDAP environment setup.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n[sssd]\nservices = nss, pam\nconfig_file_version = 2\ndomains = default\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/pki\/tls\/cacert.crt\nldap_tls_cacertdir = \/etc\/pki\/tls\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n<p>If you are providing SUDO rights via OpenLDAP, your SSSD should include the SUDO services and the SUDOERS search base, The SSSD configuration file would then look like;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/pki\/tls\/cacert.crt\nldap_tls_cacertdir = \/etc\/pki\/tls\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\n<\/code><\/pre>\n\n\n\n<p>For a detailed of all the options\/parameters used in the SSSD configuration, please refer to, <code><strong>man sssd.conf<\/strong><\/code>.<\/p>\n\n\n\n<p>Follow the link below to learn how to configure OpenLDAP to provide SUDO rights to authenticating clients.<\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/how-to-configure-sudo-via-openldap-server\/\" target=\"_blank\">How to Configure SUDO via OpenLDAP Server<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Install OpenLDAP CA Certificate on Fedora 32\/31\/30<\/h3>\n\n\n\n<p>SSSD requires&nbsp;that the communication channel be&nbsp;encrypted. As such, OpenLDAP has to be configured with SSL (uri uses <code><strong>ldaps:\/\/<\/strong><\/code>) or TLS (uri used <code><strong>ldap:\/\/<\/strong><\/code>).<\/p>\n\n\n\n<p>If you OpenLDAP is configured with SSL (<strong>LDAP is listening on port 636<\/strong>), run the command below to download the CA certificate;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts &lt; \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n<p>If you OpenLDAP is configured with TLS (<strong>LDAP is listening on port 389<\/strong>), run the command below to download the CA certificate;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>openssl s_client -connect ldapmaster.kifarunix-demo.com:389 -starttls ldap -showcerts &lt; \/dev\/null | openssl x509 -text | sed -ne '\/-BEGIN CERTIFICATE-\/,\/-END CERTIFICATE-\/p'<\/code><\/pre>\n\n\n\n<p>The certificate is displayed on the standard output.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\nBQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww\n...\n...\nUy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n<p>You need to copy this certificate and install in the file specified by the line, <code><strong>ldap_tls_cacert = \/etc\/pki\/tls\/cacert.crt<\/strong><\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>vim \/etc\/pki\/tls\/cacert.crt<\/code><\/pre>\n\n\n\n<p>Paste the certificate in here;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>\n-----BEGIN CERTIFICATE-----\nMIIDvzCCAqegAwIBAgIUc8imlOVhEej453dXtvacn7krg1MwDQYJKoZIhvcNAQEL\nBQAwbzELMAkGA1UEBhMCS0UxDDAKBgNVBAgMA05haTEMMAoGA1UEBwwDTWFpMRww\n...\n...\nUy7ivNi2PL6mBwxMpyi0zTopqTXSvi54APm48dd0JPsGLTIgPMc1WvaN7TsUeIBs\nIgf9K1e9M0Q+j2XEsTeCYVU\/v0Jt0kER0+V\/NM0IrDOX+6kRz6DNsZrwcMEf5Yvp\nARWZ\n-----END CERTIFICATE-----\n<\/code><\/pre>\n\n\n\n<p>Save and exit the file.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-nss-pam-for-sssd-authentication\"><a href=\"#configure-nss-pam-for-sssd-authentication\">Configure NSS and PAM for SSSD Authentication on Fedora 32\/31\/30<\/a><\/h3>\n\n\n\n<p>Update the NSS and PAM to use SSSD to manage authentication resources. <code><strong>Authselect<\/strong><\/code>&nbsp;is a utility that simplifies the configuration of user authentication&nbsp;especially while using SSSD for authentication.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure SSSD Profile on Fedora 32\/31\/30<\/h4>\n\n\n\n<p>Authselect command when used to create an SSSD profile, modify the files below;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/etc\/pam.d\/system-auth<\/li>\n\n\n\n<li>\/etc\/pam.d\/password-auth<\/li>\n\n\n\n<li>\/etc\/pam.d\/fingerprint-auth<\/li>\n\n\n\n<li>\/etc\/pam.d\/smartcard-auth<\/li>\n\n\n\n<li>\/etc\/pam.d\/postlogin<\/li>\n\n\n\n<li>\/etc\/nsswitch.conf<\/li>\n<\/ul>\n\n\n\n<p>Therefore, make a backup of these files just in case things don\u2019t work out.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>cp -r \/etc\/pam.d{,.original}\ncp \/etc\/nsswitch.conf{,.original}<\/code><\/pre>\n\n\n\n<p>Create an SSSD profile. This command will overwrite the nsswitch maps.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>authselect select sssd<\/code><\/pre>\n\n\n\n<p>Next, if you have configured SUDO via OpenLDAP, the system to fetch sudo rights from SSSD\/OpenLDAP, hence edit the&nbsp;<code>\/etc\/nsswitch.conf<\/code>&nbsp;to include the line below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sudoers:    files sss<\/code><\/pre>\n\n\n\n<p>You can simply echo the line into the configuration file as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"sudoers:    files sss\" &gt;&gt; \/etc\/nsswitch.conf<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sssd-automatic-home-creation-at-login\"><a href=\"#sssd-automatic-home-creation-at-login\">Configure Automatic Home Directory Creation At Login<\/a><\/h3>\n\n\n\n<p>To enable automatic home directory creation for user upon first login, you need to install the&nbsp;<code><strong>oddjob-mkhomedir<\/strong><\/code>, which provides the&nbsp;<code><strong>pam_oddjob_mkhomedir<\/strong><\/code>&nbsp;module to create a home directory for a user at login-time.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>dnf install oddjob-mkhomedir<\/code><\/pre>\n\n\n\n<p>Start and enable oddjobd to run on system boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now oddjobd<\/code><\/pre>\n\n\n\n<p>Load the&nbsp;<code><strong>pam_oddjob_mkhomedir<\/strong><\/code>&nbsp;module in PAM auth file&nbsp;<code>\/etc\/pam.d\/system-auth<\/code>&nbsp;to enable auto home directory creation.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>echo \"session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel\/ umask=0022\" &gt;&gt; \/etc\/pam.d\/system-auth<\/code><\/pre>\n\n\n\n<p>Restart oddjobd.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl restart oddjobd<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"running-sssd-on-fedora-32-31-30\"><a href=\"#running-sssd-on-fedora-32-31-30\">Running SSSD on Fedora 32\/31\/30<\/a><\/h3>\n\n\n\n<p>Before you can start SSSD, you need to check configuration for any typos or permissions;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>sssctl config-check<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code><strong>File ownership and permissions check failed. Expected root:root and 0600.<\/strong><\/code><\/pre>\n\n\n\n<p>As per the check output, set the read\/write access to&nbsp;<code>\/etc\/sssd\/<\/code>&nbsp;for the owner (root).<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chown -R root:root \/etc\/sssd<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>chmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\n<p>The configuration is now done. Start and enable SSSD to run on system boot.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl enable --now sssd<\/code><\/pre>\n\n\n\n<p>Check the status.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>systemctl status sssd<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>\n\u25cf sssd.service - System Security Services Daemon\n     Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: enabled)\n     Active: active (running) since Thu 2020-08-27 19:31:25 EAT; 2h 22min ago\n   Main PID: 663 (sssd)\n      Tasks: 3 (limit: 2332)\n     Memory: 7.6M\n        CPU: 713ms\n     CGroup: \/system.slice\/sssd.service\n             \u251c\u2500663 \/usr\/sbin\/sssd -i --logger=files\n             \u251c\u2500806 \/usr\/libexec\/sssd\/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files\n             \u2514\u2500807 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n\nAug 27 19:30:58 fedora32.kifarunix-demo.com systemd[1]: Starting System Security Services Daemon...\nAug 27 19:31:24 fedora32.kifarunix-demo.com sssd[663]: Starting up\nAug 27 19:31:24 fedora32.kifarunix-demo.com be[implicit_files][806]: Starting up\nAug 27 19:31:25 fedora32.kifarunix-demo.com nss[807]: Starting up\nAug 27 19:31:25 fedora32.kifarunix-demo.com systemd[1]: Started System Security Services Daemon.\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-sssd-openldap-authentication\"><a href=\"#verify-sssd-openldap-authentication\">Verify OpenLDAP Authentication via SSSD<\/a><\/h3>\n\n\n\n<p>The installation and configuration of SSSD for OpenLDAP authentication on Fedora 32\/31\/30 is done. It is now time to verify the system authentication via OpenLDAP.<\/p>\n\n\n\n<p>First, confirm that you can see your LDAP username on your system using&nbsp;<code><strong>id<\/strong><\/code>&nbsp;command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>id janedoe<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>uid=10010(janedoe) gid=10010(janedoe) groups=10010(janedoe)<\/code><\/pre>\n\n\n\n<p>Once the confirmation is done, you can verify the login. You can use SSH or GUI login on desktops systems.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"><code>ssh -l janedoe localhost<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>The authenticity of host 'localhost (::1)' can't be established.\nECDSA key fingerprint is SHA256:JyAO5\/n9crE8qa923r0W0Ocw47LuVJFGuLZvnwRUM8k.\nAre you sure you want to continue connecting (yes\/no\/&#91;fingerprint])? yes\nWarning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\njanedoe@localhost's password: \n&#91;janedoe@fedora32 ~]$<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>&#91;janedoe@fedora32 ~]$ whoami\njanedoe\n&#91;janedoe@fedora32 ~]$ pwd\n\/home\/janedoe\n&#91;janedoe@fedora32 ~]$<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Other Related Tutorials<\/h3>\n\n\n\n<p><a href=\"https:\/\/kifarunix.com\/how-to-create-openldap-member-groups\/\" target=\"_blank\" rel=\"noreferrer noopener\">How to Create OpenLDAP Member Groups<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-sssd-for-openldap-client-authentication-on-debian-10-9\/\" target=\"_blank\">Configure SSSD for OpenLDAP Client Authentication on Debian 10\/9<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/setup-openldap-server-with-ssl-tls-on-debian-10\/\" target=\"_blank\">Setup OpenLDAP Server with SSL\/TLS on Debian 10<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-fedora-29\/\" target=\"_blank\">Install and Configure OpenLDAP server on Fedora 29<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/configure-openldap-client-on-debian-9-stretch\/\" target=\"_blank\">Configure OpenLDAP Client on Debian 9 Stretch<\/a><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/kifarunix.com\/install-and-configure-openldap-server-on-debian-9-stretch\/\" target=\"_blank\">Install and Configure OpenLDAP Server on Debian 9 Stretch<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In tutorial, you will learn how to install and configure SSSD for OpenLDAP Authentication on Fedora 32\/31\/30. SSSD is an acronym for System Security Services<\/p>\n","protected":false},"author":1,"featured_media":10441,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,285,1099],"tags":[1955,1651,924,1954,1953,1952,1956,286,1131],"class_list":["post-6830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-directory-server","category-openldap","tag-configure-sssd","tag-configure-sssd-for-openldap-authentication","tag-fedora-30","tag-fedora-31","tag-fedora-32","tag-install-sssd-on-fedora-32","tag-oddjobd-mkhomedir","tag-openldap","tag-sssd","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6830"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=6830"}],"version-history":[{"count":5,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6830\/revisions"}],"predecessor-version":[{"id":21473,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/6830\/revisions\/21473"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/10441"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=6830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=6830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=6830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}