3.9 KiB
SSSD configuration
[!WARNING]
Since we need to create custom user attributes, you must runlatest
version of LLDAP -stable
does not have this functionality yet.
The following configuration was tested on sssd version 2.9.1. It may not work on older versions.
To work properly SSSD also needs correct openldap-client configuration.
Packages
Here are the packages needed in Oracle Linux 9:
openldap-clients openldap-devel sssd sssd-ldap
Configure OpenLDAP client
Certificates - skip if you don't use LDAPS
- Place your certs in
/etc/openldap/certs
- Run
openssl rehash /etc/openldap/certs
Config
Create or modify /etc/openldap/ldap.conf
:
URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
ssl on # Skip if you don't use LDAPS
Verify
To check if your config is correct you can use ldapsearch
:
ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"
The above command should return list of your users.
Prepare LLDAP
SSSD requires some specific setup.
All of your users need uidnumber
and gidnumber
- these are not generated by default in LLDAP.
To create these user attributes you can use either the web GUI or lldap-cli, but webp GUI does not support setting them.
To set these custom user attributes with lldap-cli:
# Login to your LLDAP server
eval $(lldap-cli -D admin -w abcd1234 login)
# Add uidnumber and gidnumber attributes
lldap-cli schema attribute user add uidnumber integer
lldap-cli schema attribute user add gidnumber integer
You must also manually set the above attributes for each user, eg. for user admin
with uidnumber
2000 and gidnumber
2000:
lldap-cli user update set admin uidnumber 2000
lldap-cli user update set admin gidnumber 2000
[!WARNING] To set each user's home directory, use
homeDirectory
attribute. It can be also simply hardcoded in SSSD (as shown below).
To overwrite user's shell you can use loginShell
attribute.
To make groups discoverable by SSSD you need to add posixGroup
objectClass:
lldap-cli schema objectclass group add posixGroup
Configure SSSD
- Configure System Services for SSSD:
authselect select sssd
- Create or modify
/etc/sssd/sssd.conf
:
[domain/default]
ldap_uri = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
ldap_default_bind_dn = uid=admin,ou=people,dc=example,dc=com
ldap_default_authtok = ADMIN_PASSWORD
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = allow # Skip if you don't use LDAPS
ldap_tls_cacertdir = /etc/openldap/certs # Skip if you don't use LDAPS
ldap_schema = rfc2307bis
enumerate = true
cache_credentials = true
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
override_homedir = /home/ldapusers # Skip if you use homeDirectory attribute
default_shell = /bin/bash
[sssd]
services = nss, pam, ssh, sudo
config_file_version = 2
domains = default
Remember to set correct permissions for sssd.conf
:
chmod 600 /etc/sssd/sssd.conf
- Start sssd daemon:
systemctl start sssd
Verify
To check if SSSD works correctly:
getent passwd <UID>
The above command should return passwd entry for your user.
SUDO
Since LLDAP does not have sudoRole
objectClass, to allow access to sudo you must use groups and manually modify sudoers
on each host.
The group you want to use must have gidnumber
attribute.
For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the sudoers
(visudo
):
%#2000 ALL=(ALL:ALL) ALL