lldap/example_configs/sssd.md

SSSD configuration

[!WARNING]
Since we need to create custom user attributes, you must run latest version of LLDAP - stable does not have this functionality yet.

The following configuration was tested on sssd version 2.9.1. It may not work on older versions.

To work properly SSSD also needs correct openldap-client configuration.

Packages

Here are the packages needed in Oracle Linux 9:

openldap-clients openldap-devel sssd sssd-ldap

Configure OpenLDAP client

Certificates - skip if you don't use LDAPS

1. Place your certs in /etc/openldap/certs
2. Run openssl rehash /etc/openldap/certs

Config

Create or modify /etc/openldap/ldap.conf:

URI ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
BASE dc=example,dc=com
TLS_CACERTDIR /etc/openldap/certs # Skip if you don't use LDAPS
ssl on # Skip if you don't use LDAPS

Verify

To check if your config is correct you can use ldapsearch:

ldapsearch -x -D "uid=admin,ou=people,dc=example,dc=com" -w "${ADMIN_PASSWORD}" -b "ou=people,dc=example,dc=com"

The above command should return list of your users.

Prepare LLDAP

SSSD requires some specific setup.

All of your users need uidnumber and gidnumber - these are not generated by default in LLDAP.

To create these user attributes you can use either the web GUI or lldap-cli, but webp GUI does not support setting them.

To set these custom user attributes with lldap-cli:

# Login to your LLDAP server
eval $(lldap-cli -D admin -w abcd1234 login)

# Add uidnumber and gidnumber attributes
lldap-cli schema attribute user add uidnumber integer
lldap-cli schema attribute user add gidnumber integer

You must also manually set the above attributes for each user, eg. for user admin with uidnumber 2000 and gidnumber 2000:

lldap-cli user update set admin uidnumber 2000
lldap-cli user update set admin gidnumber 2000

[!WARNING] To set each user's home directory, use homeDirectory attribute. It can be also simply hardcoded in SSSD (as shown below).

To overwrite user's shell you can use loginShell attribute.

To make groups discoverable by SSSD you need to add posixGroup objectClass:

lldap-cli schema objectclass group add posixGroup

Configure SSSD

1. Configure System Services for SSSD:

authselect select sssd

2. Create or modify /etc/sssd/sssd.conf:

[domain/default]
ldap_uri               = ldaps://LDAP_SERVER_URL # Use ldap:// if you don't use LDAPS
ldap_default_bind_dn   = uid=admin,ou=people,dc=example,dc=com
ldap_default_authtok   = ADMIN_PASSWORD
ldap_search_base       = dc=example,dc=com
ldap_tls_reqcert       = allow # Skip if you don't use LDAPS
ldap_tls_cacertdir     = /etc/openldap/certs # Skip if you don't use LDAPS
ldap_schema = rfc2307bis

enumerate              = true
cache_credentials      = true

id_provider            = ldap
auth_provider          = ldap
chpass_provider        = ldap

override_homedir       = /home/ldapusers     # Skip if you use homeDirectory attribute
default_shell          = /bin/bash

[sssd]
services               = nss, pam, ssh, sudo
config_file_version    = 2

domains = default

Remember to set correct permissions for sssd.conf:

chmod 600 /etc/sssd/sssd.conf

3. Start sssd daemon:

systemctl start sssd

Verify

To check if SSSD works correctly:

getent passwd <UID>

The above command should return passwd entry for your user.

SUDO

Since LLDAP does not have sudoRole objectClass, to allow access to sudo you must use groups and manually modify sudoers on each host.

The group you want to use must have gidnumber attribute.

For example to allow any user in the group with gidNumber 2000 to run any sudo command append the following in the sudoers (visudo):

%#2000 ALL=(ALL:ALL) ALL