1. Install OpenLDAP Packages.
yum install openldap openldap-clients
2. Install the sssd and sssd-client packages.
yum install sssd sssd-client
3. Modify /etc/openldap/ldap.conf to contain the proper server and search base information for the organization.
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap.sabagus.com:389
BASE dc=sabagus,dc=com
4. Modify /etc/nsswitch.conf to use sss.
passwd: files sss
shadow: files sss
group: files sss
5. Configure the LDAP client by using sssd.
The sssd configuration is located at /etc/sssd/sssd.conf.
Example: (Here domain is set to sabagus.com)
[domain/sabagus.com]
autofs_provider = ldap
cache_credentials = False
ldap_search_base = dc=sabagus,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.sabagus.com:389
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis
ldap_auth_disable_tls_never_use_in_production = true
use_fully_qualified_names = True
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = sabagus.com
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[autofs]
6. Configure PAM to use sssd
Add "pam_sss.so" related entries into /etc/pam.d/password-auth and /etc/pam.d/system-auth.
Example of /etc/pam.d/password-auth is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
Example of /etc/pam.d/system-auth is:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
7. Start sssd
chmod 0600 /etc/sssd/sssd.conf
/etc/init.d/sssd start
Troubleshoot issues by checking /var/log/sssd/sssd.log if needed.
8. Test by looking for one user identified in LDAP server.
# id someuser@sabagus.com
uid=10002(someuser@sabagus.com) gid=15000(somegroup@sabagus.com)
Reference:
Comments
Post a Comment