OpenLDAP + sssd ... the simple guide

By joe

August 22, 2016 - 3 minutes read - 448 words

Ok. Here’s the problem. Small environment for customers, whom are not really sure what they want and need for authentication. Yes, they asked us to use local users for the machines. No, the number of users was not small. AD may or may not be in the picture. Ok, I am combining two sets of users with common problems here. In one case, they wanted manual installation of many users onto machines without permanent config files. In another case I have to worry about admins whom don’t want the hassle of dealing with admin on many machines. Enter OpenLDAP. Its basically a read heavy directory service. Using lots of old (outdated) concepts. But it works fairly well once you get it setup. But getting it set up is annoying beyond belief. So much so, that people look to Microsoft AD as an easier LDAP. A single unified authentication/authorization panel for their windows/linux environment. For these cases, we don’t have buy in from the groups running the AD. So we can’t connect to it. Which means locally hosted LDAP. This part is doable in appliance form. It is still not user friendly by any measure. I don’t have problem with the configuration of the services … but they are beyond ugly. Not something we should be using in 2016. Then the client side. Originally in Linux, you used the PADL tools (ldap*). Like the whole LDAP system, it is … well … ugly. It is non-trivial to use. You have to be very careful of how you invoke it. Even for testing. So RedHat noticed this and wrote what is generally considered a saner version. SSSD. And it is generally better … sssd.conf is well documented, but there are few real working examples for you. So here is one. sssd.conf talking to a machine named ldap, which hosts an openldap database. Change your ldap_search_base and ldap_uri to point to what you need.

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
filter_users = root
filter_groups = root
[domain/LDAP]
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap
ldap_search_base = dc=unison,dc=local
# following is debian specific
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
entry_cache_timeout = 600
ldap_network_timeout = 2

then you need to modify some of the pam system to make sure it makes use of this. /etc/pam.d/common-password

password        sufficient                      pam_sss.so
password        [success=1 default=ignore]      pam_unix.so obscure try_first_pass sha512
password        requisite                       pam_deny.so
password        required                        pam_permit.so

/etc/pam.d/common-session

session [default=1]   pam_permit.so
session requisite     pam_deny.so
session required      pam_permit.so
session optional      pam_mkhomedir.so skel=/etc/skel umask=0077
session optional      pam_sss.so
session required      pam_unix.so

Then, when you do this right, your test user is visible.

getent passwd | grep testuser1
testuser1:*:1000:501:testuser1:/home/testuser1:/bin/bash