How to set up SSSD with LDAP

ahasenack · April 22, 2022, 5:31pm

SSSD can also use LDAP for authentication, authorisation, and user/group information. In this section we will configure a host to authenticate users from an OpenLDAP directory.

Prerequisites and assumptions

For this setup, we need:

An existing OpenLDAP server with SSL enabled and using the RFC2307 schema for users and groups
A client host where we will install the necessary tools and login as a user from the LDAP server

Install necessary software

Install the following packages:

sudo apt install sssd-ldap ldap-utils

Configure SSSD

Create the /etc/sssd/sssd.conf configuration file, with permissions 0600 and ownership root:root, and add the following content:

[sssd]
config_file_version = 2
domains = example.com

[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap01.example.com
cache_credentials = True
ldap_search_base = dc=example,dc=com

Make sure to start the sssd service:

sudo systemctl start sssd.service

Note:
sssd will use START_TLS by default for authentication requests against the LDAP server (the auth_provider), but not for the id_provider. If you want to also enable START_TLS for the id_provider, specify ldap_id_use_start_tls = true.

Automatic home directory creation

To enable automatic home directory creation, run the following command:

sudo pam-auth-update --enable mkhomedir

Check SSL setup on the client

The client must be able to use START_TLS when connecting to the LDAP server, with full certificate checking. This means:

The client host knows and trusts the CA that signed the LDAP server certificate,
The server certificate was issued for the correct host (ldap01.example.com in this guide),
The time is correct on all hosts performing the TLS connection, and
That neither certificate (CA or server’s) expired.

If using a custom CA, an easy way to have a host trust it is to place it in /usr/local/share/ca-certificates/ with a .crt extension and run sudo update-ca-certificates.

Alternatively, you can edit /etc/ldap/ldap.conf and point TLS_CACERT to the CA public key file.

Note:
You may have to restart sssd after these changes: sudo systemctl restart sssd

Once that is all done, check that you can connect to the LDAP server using verified SSL connections:

$ ldapwhoami -x -ZZ -H ldap://ldap01.example.com
anonymous

and for ldaps (if enabled in /etc/default/slapd):

$ ldapwhoami -x -H ldaps://ldap01.example.com

The -ZZ parameter tells the tool to use START_TLS, and that it must not fail. If you have LDAP logging enabled on the server, it will show something like this:

slapd[779]: conn=1032 op=0 STARTTLS
slapd[779]: conn=1032 op=0 RESULT oid= err=0 text=
slapd[779]: conn=1032 fd=15 TLS established tls_ssf=256 ssf=256
slapd[779]: conn=1032 op=1 BIND dn="" method=128
slapd[779]: conn=1032 op=1 RESULT tag=97 err=0 text=
slapd[779]: conn=1032 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.3
slapd[779]: conn=1032 op=2 WHOAMI
slapd[779]: conn=1032 op=2 RESULT oid= err=0 text=

START_TLS with err=0 and TLS established is what we want to see there, and, of course, the WHOAMI extended operation.

Final verification

In this example, the LDAP server has the following user and group entry we are going to use for testing:

dn: uid=john,ou=People,dc=example,dc=com
uid: john
objectClass: inetOrgPerson
objectClass: posixAccount
cn: John Smith
sn: Smith
givenName: John
mail: john@example.com
userPassword: johnsecret
uidNumber: 10001
gidNumber: 10001
loginShell: /bin/bash
homeDirectory: /home/john

dn: cn=john,ou=Group,dc=example,dc=com
cn: john
objectClass: posixGroup
gidNumber: 10001
memberUid: john

dn: cn=Engineering,ou=Group,dc=example,dc=com
cn: Engineering
objectClass: posixGroup
gidNumber: 10100
memberUid: john

The user john should be known to the system:

ubuntu@ldap-client:~$ getent passwd john
john:*:10001:10001:John Smith:/home/john:/bin/bash

ubuntu@ldap-client:~$ id john
uid=10001(john) gid=10001(john) groups=10001(john),10100(Engineering)

And we should be able to authenticate as john:

ubuntu@ldap-client:~$ sudo login
ldap-client login: john
Password:
Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-24-generic x86_64)
(...)
Creating directory '/home/john'.
john@ldap-client:~$

nuccitheboss · August 5, 2022, 1:34pm

Hi there! This might just be a me thing, but I believe this bullet would read/speak aloud better if “login as an user” were changed to “login as a user.” I think that “an” before the vowel is the grammatical rule, but my internal monologue reads it better as “as a user” . Let me know what you think.

ahasenack · August 10, 2022, 8:05pm

Agreed, changed. Thanks.

isalillo · August 18, 2022, 10:51am

Hi.
This command “ldapwhoami -x -ZZ -h ldap01.example.com”. I changed ldap01.example.com to my domain, but it give me the error “ldap_start_tls: Can’t contact LDAP server (-1)” .
Also I configurated LDAP with TLS.

Help me please.

ahasenack · August 18, 2022, 5:15pm

Oh, good catch. In recent versions, the ldap command-line utilities dropped the -h parameter in favor of -H <ldapuri>. The above command should read ldapwhoami -x -ZZ -H ldap://ldap01.example.com. I’ll fix it.