In this guide, we are going to demonstrate how to configure SSSD for LDAP Authentication on Rocky Linux 8. In our previous guides, we have covered how to install and setup OpenLDAP on Rocky Linux 8 as well how to configure SUDO via OpenLDAP. See the links below;<\/p>\n\n\n\n
Install and Setup OpenLDAP on Rocky Linux 8<\/a><\/p>\n\n\n\n How to Configure SUDO via OpenLDAP Server<\/a><\/p>\n\n\n\n SSSD<\/a> is an acronym for System Security Services Daemon. It provides access to different identity and authentication providers.<\/p>\n\n\n\n In this demo, we are using OpenLDAP as our directory as well identity management server.<\/p>\n\n\n\n To update your system packages, execute the command below;<\/p>\n\n\n\n Once the system update is done, proceed to install SSSD and other SSSD tools.<\/p>\n\n\n\n Next, configure SSSD to allow authentication to your local system via OpenLDAP.<\/p>\n\n\n\n SSSD doesn\u2019t usually ship with any default configuration file. As such you need to create and configure it manually.<\/p>\n\n\n\n Paste the content below into sssd.conf<\/strong> file.<\/p>\n\n\n\n Be sure to make the relevant substitutions replacing your domain components as well as the BIND DN password appropriately.<\/p>\n\n\n\n Save and quit the configuration files. Be sure to make relevant changes accordingly.<\/p>\n\n\n\n Note that we have also configured our OpenLDAP server to provide sudo rights as shown by the configurations;<\/p>\n\n\n\n If you are not using OpenLDAP for sudo rules<\/strong>, you can remove these configurations.<\/p>\n\n\n\n Next, download the OpenLDAP server CA certificate and store it on the file specified by the Copy the certificate and paste it on the Next, open the Basically, you need to define the location of the CA certificate, the OpenLDAP search base, the URI and if you are providing SUDO via OpenLDAP, the SUDOers base.<\/p>\n\n\n\n Save and quit the configuration file.<\/p>\n\n\n\n Next, you need to update the NSS and PAM to use SSSD to manage authentication resources.<\/p>\n\n\n\n In previous versions of CentOS, you would use tools like Authselect command when used to create an SSSD profile, will basically modify these files;<\/p>\n\n\n\n Therefore, make a back up of these files just in case things don\u2019t work out. Once you have backed up these files, remove them.<\/p>\n\n\n\n Create an SSSD profile. This command will succeed only of you have removed the files above.<\/p>\n\n\n\n Otherwise, you can overwrite the files by adding the Next, for the system to fetch sudo rights from SSSD\/OpenLDAP, edit the You can simply echo the line into the configuration file as shown below;<\/p>\n\n\n\n To enable automatic home directory creation for user upon first login, you need to install the Start and enable oddjobd to run on system boot.<\/p>\n\n\n\n Load the Restart oddjobd.<\/p>\n\n\n\n Before you can start SSSD, you need to check configuration for any typos or permissions;<\/p>\n\n\n\n As per the check output, set the read\/write access to The configuration is now done. Start and enable SSSD to run on system boot.<\/p>\n\n\n\n Check the status.<\/p>\n\n\n\n Assuming that you have already created your OpenLDAP users and groups ( if not check our guide on creating OpenLDAP Users and Groups<\/a>), verify that you can login.<\/p>\n\n\n\n First, confirm that you can see your LDAP username on your system using You should get an entry similar to below. Note that username and UID and GUID may vary depending on your OpenLDAP settings;<\/p>\n\n\n\n If you cant get the above output, be sure to check OpenLDAP syslog logs (slapd.log, as per our setup guide) as well as Otherwise, you can restart sssd;<\/p>\n\n\n\n Check user again using If all is well, Perform a local ssh authentication to test your LDAP authentication.<\/p>\n\n\n\n First, if you have assigned the user sudo rights, you can check by running the command below on your OpenLDAP server. Replace the domain components accordingly.<\/p>\n\n\n\n Next, on the LDAP client with SSSD running already, try to list the user's sudo rights.<\/p>\n\n\n\n Well, if you get the error, Sorry, user johndoe may not run sudo on localhost.<\/strong>, then exit as standard user and restart SSSD;<\/strong><\/p>\n\n\n\n Once you restart SSSD, check the sudo rights again;<\/p>\n\n\n\n If you have any thought about this guide, don\u2019t hesitate to drop in comments section.<\/p>\n\n\n\n Other tutorials;<\/p>\n\n\n\n Configure SSSD for OpenLDAP Authentication on CentOS 8<\/a><\/p>\n\n\n\nConfiguring SSSD for LDAP Authentication<\/h2>\n\n\n\n
Run system update<\/h3>\n\n\n\n
dnf update<\/code><\/pre>\n\n\n\nInstall SSSD on Rocky Linux 8<\/h3>\n\n\n\n
dnf install sssd sssd-tools<\/code><\/pre>\n\n\n\nConfigure LDAP Authentication via SSSD<\/h3>\n\n\n\n
\ncat > \/etc\/sssd\/sssd.conf << 'EOL'\n[sssd]\nservices = nss, pam, sudo\nconfig_file_version = 2\ndomains = default\n\n[sudo]\n\n[nss]\n\n[pam]\noffline_credentials_expiration = 60\n\n[domain\/default]\nldap_id_use_start_tls = True\ncache_credentials = True\nldap_search_base = dc=ldapmaster,dc=kifarunix-demo,dc=com\nid_provider = ldap\nauth_provider = ldap\nchpass_provider = ldap\naccess_provider = ldap\nsudo_provider = ldap\nldap_uri = ldap:\/\/ldapmaster.kifarunix-demo.com\nldap_default_bind_dn = cn=readonly,ou=system,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_default_authtok = P@ssWOrd\nldap_tls_reqcert = demand\nldap_tls_cacert = \/etc\/pki\/tls\/cacert.crt\nldap_tls_cacertdir = \/etc\/pki\/tls\nldap_search_timeout = 50\nldap_network_timeout = 60\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nldap_access_order = filter\nldap_access_filter = (objectClass=posixAccount)\nEOL\n<\/code><\/pre>\n\n\n\nservices = nss, pam, sudo<\/strong>\n...\n\n[sudo]<\/strong>\n...\n\nldap_sudo_search_base = ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/strong><\/code><\/pre>\n\n\n\nldap_tls_cacert<\/code> directive on the sssd.conf file above.<\/p>\n\n\n\nopenssl s_client -connect ldapmaster.kifarunix-demo.com:636 -showcerts < \/dev\/null | openssl x509 -text<\/code><\/pre>\n\n\n\n\/etc\/pki\/tls\/cacert.crt<\/code><\/strong>.<\/p>\n\n\n\nvim \/etc\/pki\/tls\/cacert.crt<\/code><\/pre>\n\n\n\n-----BEGIN CERTIFICATE-----\nMIIFxzCCA6+gAwIBAgIUV+l4aOvMCLlNQRKOpt9YfxcxA8MwDQYJKoZIhvcNAQEL\nBQAwczELMAkGA1UEBhMCS0UxEDAOBgNVBAgMB05haXJvYmkxDDAKBgNVBAcMA05h\n...\n...\n5deiMlJkrYv7wZ0prq0QO5lduGBuD9UJvRa8LBV0GEAiHZL5PJOnREHObbAH907E\neixIJpkcC4wguMaXDNqIv6WGdQtRUyIP8tdByXYJGrbRW0K\/K9qEaIZhJiAES1Qy\n8U96RdYBpLvDctRch1kIfvnAVffTxmObAGI9n64O89p48kocJwNI\/XQNRg==\n-----END CERTIFICATE-----<\/code><\/pre>\n\n\n\n\/etc\/openldap\/ldap.conf<\/code> configuration file and configure it as follows;<\/p>\n\n\n\nvim \/etc\/openldap\/ldap.conf<\/code><\/pre>\n\n\n\nBASE dc=ldapmaster,dc=kifarunix-demo,dc=com\nURI ldaps:\/\/ldapmaster.kifarunix-demo.com:636\nSUDOERS_BASE ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\n...\n...\nTLS_CACERT \/etc\/pki\/tls\/cacert.crt\n...<\/code><\/pre>\n\n\n\nConfigure Name Service Switch and PAM on Rocky Linux 8<\/h3>\n\n\n\n
authconfig<\/strong><\/code> but this has since been replaced by tools like authselect<\/strong><\/code>.<\/p>\n\n\n\nAuthselect<\/code> is a utility that simplifies the configuration of user authentication especially while using SSSD for authentication.<\/p>\n\n\n\nConfigure SSSD Profile<\/h4>\n\n\n\n
\n
authselect select sssd<\/code><\/pre>\n\n\n\n--force<\/code> option.<\/p>\n\n\n\nauthselect select sssd --force<\/code><\/pre>\n\n\n\nBackup stored at \/var\/lib\/authselect\/backups\/2021-06-19-09-55-01.BaMqgB\nProfile \"sssd\" was selected.\nThe following nsswitch maps are overwritten by the profile:\n- passwd\n- group\n- netgroup\n- automount\n- services\n\nMake sure that SSSD service is configured and enabled. See SSSD documentation for more information.<\/code><\/pre>\n\n\n\n\/etc\/nsswitch.conf<\/code> to include the line below.<\/p>\n\n\n\nsudoers: files sss<\/code><\/pre>\n\n\n\necho \"sudoers: files sss\" >> \/etc\/nsswitch.conf<\/code><\/pre>\n\n\n\nConfigure Automatic Home Directory Creation<\/h3>\n\n\n\n
oddjob-mkhomedir<\/strong><\/code>, which provides the pam_oddjob_mkhomedir<\/strong><\/code> module to create a home directory for a user at login-time.<\/p>\n\n\n\ndnf install oddjob-mkhomedir<\/code><\/pre>\n\n\n\nsystemctl enable --now oddjobd<\/code><\/pre>\n\n\n\npam_oddjob_mkhomedir<\/strong><\/code> module in PAM auth file \/etc\/pam.d\/system-auth<\/code> to enable auto home directory creation.<\/p>\n\n\n\necho \"session optional pam_oddjob_mkhomedir.so skel=\/etc\/skel\/ umask=0022\" >> \/etc\/pam.d\/system-auth<\/code><\/pre>\n\n\n\nsystemctl restart oddjobd<\/code><\/pre>\n\n\n\nRunning SSSD<\/h3>\n\n\n\n
sssctl config-check<\/code><\/pre>\n\n\n\nFile ownership and permissions check failed. Expected root:root and 0600.<\/code><\/pre>\n\n\n\n\/etc\/sssd\/<\/code> for the owner (root).<\/p>\n\n\n\nchown -R root: \/etc\/sssd<\/code><\/pre>\n\n\n\nchmod 600 -R \/etc\/sssd<\/code><\/pre>\n\n\n\nsystemctl enable --now sssd<\/code><\/pre>\n\n\n\nsystemctl status sssd<\/code><\/pre>\n\n\n\n\n\u25cf sssd.service - System Security Services Daemon\n Loaded: loaded (\/usr\/lib\/systemd\/system\/sssd.service; enabled; vendor preset: enabled)\n Active: active (running) since Sat 2021-06-19 05:43:33 EDT; 13min ago\n Main PID: 892 (sssd)\n Tasks: 3 (limit: 11256)\n Memory: 12.0M\n CGroup: \/system.slice\/sssd.service\n \u251c\u2500892 \/usr\/sbin\/sssd -i --logger=files\n \u251c\u2500941 \/usr\/libexec\/sssd\/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files\n \u2514\u2500946 \/usr\/libexec\/sssd\/sssd_nss --uid 0 --gid 0 --logger=files\n\nJun 19 05:43:17 localhost.localdomain systemd[1]: Starting System Security Services Daemon...\nJun 19 05:43:28 localhost.localdomain sssd[sssd][892]: Starting up\nJun 19 05:43:29 localhost.localdomain sssd[be[implicit_files]][941]: Starting up\nJun 19 05:43:32 localhost.localdomain sssd[nss][946]: Starting up\nJun 19 05:43:33 localhost.localdomain systemd[1]: Started System Security Services Daemon.\n<\/code><\/pre>\n\n\n\nTest OpenLDAP Authentication via SSSD<\/h3>\n\n\n\n
id<\/code> command.<\/p>\n\n\n\nid johndoe<\/code><\/pre>\n\n\n\nuid=10000(johndoe) gid=10000(johndoe) groups=10000(johndoe)<\/code><\/pre>\n\n\n\nsssd<\/code><\/strong> logs.<\/p>\n\n\n\nsystemctl restart sssd<\/code><\/pre>\n\n\n\nid<\/code> command.<\/p>\n\n\n\nssh -l johndoe localhost<\/code><\/pre>\n\n\n\nThe authenticity of host 'localhost (::1)' can't be established.\nECDSA key fingerprint is SHA256:WuslT7dUhvAkOndw1DZEgJ46bzVUbzewVU9RYcWmPg8.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added 'localhost' (ECDSA) to the list of known hosts.\njohndoe@localhost's password: ENTER USER's LDAP Password<\/strong><\/code><\/pre>\n\n\n\nVerify that you got sudo rights.<\/h3>\n\n\n\n
export SUDOERS_BASE=ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com<\/code><\/pre>\n\n\n\nldapsearch -b \"$SUDOERS_BASE\" -D cn=admin,dc=ldapmaster,dc=kifarunix-demo,dc=com -W -x<\/code><\/pre>\n\n\n\n...\n# sudo, SUDOers, ldapmaster.kifarunix-demo.com\ndn: cn=sudo,ou=SUDOers,dc=ldapmaster,dc=kifarunix-demo,dc=com\nobjectClass: top\nobjectClass: sudoRole\ncn: sudo\nsudoUser: johndoe\nsudoHost: ALL\nsudoRunAsUser: ALL\nsudoCommand: ALL\n...<\/code><\/pre>\n\n\n\n[johndoe@localhost ~]$ sudo -l<\/code><\/pre>\n\n\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n #1) Respect the privacy of others.\n #2) Think before you type.\n #3) With great power comes great responsibility.\n\n[sudo] password for johndoe: \nSorry, user johndoe may not run sudo on localhost.<\/strong><\/code><\/pre>\n\n\n\nsudo -l<\/code><\/pre>\n\n\n\n\n[sudo] password for johndoe: \nMatching Defaults entries for johndoe on localhost:\n !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin, env_reset, env_keep=\"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\", env_keep+=\"MAIL\n PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE\", env_keep+=\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\", env_keep+=\"LC_MONETARY LC_NAME LC_NUMERIC\n LC_PAPER LC_TELEPHONE\", env_keep+=\"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\", secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin, !visiblepw, always_set_home,\n match_group_by_gid, always_query_group_plugin, env_reset, env_keep=\"COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS\", env_keep+=\"MAIL PS1 PS2 QTDIR USERNAME LANG\n LC_ADDRESS LC_CTYPE\", env_keep+=\"LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES\", env_keep+=\"LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE\",\n env_keep+=\"LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY\", env_keep+=SSH_AUTH_SOCK, secure_path=\/sbin\\:\/bin\\:\/usr\/sbin\\:\/usr\/bin\n\nUser johndoe may run the following commands on localhost:\n (ALL) ALL\n<\/code><\/pre>\n\n\n\n