Versions Compared

Old Version 14

changes.mady.by.user Phillip Hanegan

Saved on

compared with

New Version Current

changes.mady.by.user Phillip Hanegan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Home / Identity Administration / Computers / LDAP Virtual Directory / Current: Configuring LDAP Auth for Linux

Style
importhttps://docs.empowerid.com/docs.css
As a central source of user information, the EmpowerID Virtual Directory Server (VDS) can be leveraged as an authentication or identity provider for Linux servers. By making a few configuration changes, organizations can give users single sign-on capabilities to one or more Linux machines without requiring those users have accounts on those machines. In this way, organizations can simplify the processes for managing Linux users as the need for creating and maintaining accounts across multiple systems is negated. With the EmpowerID VDS, this information can be fully managed from one location—the EmpowerID Identity Warehouse.
Configuring LDAP authentication for Linux involves making a few configuration changes on each Linux machine for which you want to enable the feature. These changes include the following:
  • Installing the System Security Services Daemon (SSSD)
  • Configuring NSS services for SSSD
  • Editing the LDAP configuration file for your LDAP domain
  • Modifying PAM files
  • Creating a working SSSD configuration file
  • Starting the SSSD service


 Info
titlePrerequisites
Before configuring LDAP authentication for your Linux servers, you should install the EmpowerID Virtual Directory server. For more information, see Installing and Configuring the EmpowerID Virtual Directory Server.

To configure LDAP Auth for Linux

 Tip
This topic demonstrates how to configure LDAP authentication for Debian/Ubuntu and CentOS/RedHat distributions.

  1. Log into the target Linux server as an administrative user and install SSSD for your particular Linux distribution.
     Div
    stylemargin-top:-20px;
    classshort-code-block

     Code Block
    languagebash
    titleDebian/Ubuntu
    sudo apt-get install sssd sssd-tools


     Div
    classshort-code-block

     Code Block
    languagebash
    titleCentOS/RedHat
    sudo yum install sssd sssd-tools



  2. Next, open the nsswitch.conf file and verify SSSD. Change the file as needed so that you see the following values:
     Div
    classshort-code-block

     Code Block
    languagebash
    titleDebian/Ubuntu
    sudo vi /etc/nsswitch.conf
    passwd: compat sss
    group:  compat sss
    shadow: compat sss
    ...
    services:  db files sss


     Div
    classshort-code-block

     Code Block
    languagebash
    titleCentOS/RedHat
    sudo vi /etc/nsswitch.conf
    passwd: files sss
    group:  files sss
    shadow: files sss
    ...
    services: files sss
    ...



  3. Open the ldap.conf file and add the following to the end of the file to instruct SSSD to use the specified LDAP directory as the auth provider. This information consists of the mechanism for TLS, the URI and port for your LDAP server, as well as the search base.

     Info
    Be sure to replace serverFQDN:port with the FQDN and port of your EmopowerID LDAP server.

     Div
    classshort-code-block

     Code Block
    languagebash
    titleDebian/Ubuntu
    sudo vi /etc/ldap/ldap.conf
    TLS_CACERT /etc/ssl/certs/ca-certificates.crt
    URI ldaps://serverFQDN:port/
    BASE o=empowerid


     Div
    classshort-code-block

     Code Block
    languagebash
    titleCentOS/RedHat
    sudo vi /etc/openldap/ldap.conf
    TLS_CACERT /etc/ssl/certs/ca-certificates.crt
    URI ldaps://serverFQDN:port/
    BASE o=empowerid




  4. Next, configure PAM files for SSSD. In Debian/Ubuntu, this involves multiple files, whereas in CentOS/RedHat, you edit a single PAM file.

     Info
    The following examples include instructional comments. You can exclude these when altering your files.

     Div
    classshort-code-block

     Code Block
    languagebash
    titleDebian/Ubuntu
    sudo vi /etc/pam.d/common-account
# Add the following to the end of the file
account [default-bad success=ok user_unknow=ignore]  pam_sss.so
    
sudo vi /etc/pam.d/common-auth
# Add the following after pam_unix
auth  [success=1 default=ignore]  pam_sss.so use_first_pass
    
sudo vi /etc/pam.d/common-password
# Add the following to the beginning of the Session section
session  required  pam_mkhomedir.so umask=0022 skel=/etc/skel/
    
# Add the following after pam_unix.so
session  optional  pam_sss.so


     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    titleCentOS/RedHat
    cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.orig && cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.orig
    
sudo vi /etc/pam.d/system-auth-ac
# In the auth section, after pam_succedd_if add the following:
auth  sufficient  pam_sss.so forward_pass
    
# In the account section, after pam_succeed_if add the following:
account  [default=bad success=ok user_unknown=ignore]  pam_sss.so
    
# In the password section, after pam_unix add the following:
password  sufficient  pam_sss.so use_authtok
    
# At the beginning of the session section, ensure the following is present:
session  required  pam_mkhomedir.so umask=0022 skel=/etc/skel/
    
# In the session section, after pam_unix add the following:
session  optional  pam_sss.so
    
cp -f /etc/pam.d/system-auth-ac /etc/pam.d/password-auth-ac



  5. Create an sssd.config file and give the sudo user read and write permissions to it. The procedure is the same for each distribution discussed in this topic.
     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    sudo vi /etc/sssd/sssd.conf
    
sudo chmod 0600 /etc/sssd/sssd.conf



  6. Open the sssd.conf file and add the following content to it. When doing so, replace serverFQDN:port with the FQDN and port of your EmpowerID LDAP server.
     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    [sssd]
config_file_version = 2
services = nss, pam
domains = EmpowerID
    
[nss]
    
[pam]
    
[domain/EmpowerID]
# Debug and Enumeration should only be on for testing/troubleshooting
# debug_level = 4
# enumerate = True
    
case_sensitive = False
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
    
# Set access_provder to simple to allow everyone.
# Alternately, use ldap and set ldap_access_filter below
# access_provider = ldap
access_provider = simple
    
# Set LDAP servers here
ldap_uri = ldaps://serverFQDN:port
    
# Set the search bases
ldap_search_base = o=empowerid
ldap_user_search_base = cn=people,o=empowerid
    
# bind credentials
# Run sss_obfuscate to make the password less readable
# ldap_default_bind_dn = cn=proxyuser,ou=Service Accounts,o=empowerid
# ldap_default_authtok = p@$$word
# ldap_default_authtok_type = password
    
# Set any attribute mappings needed here
ldap_user_object_class = eidPerson
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_fullname = gecos
ldap_user_home_directory = homeDirectory
ldap_group_object_class = eidGroup
ldap_group_name = cn
    
# If access_provider = ldap above, set the filter here to allow access
# EXAMPLE: Allow users in server1 allow group
# ldap_access_filter = memberof=cn=server1 allow,ou=server access,o=empowerid
# Only allow Linus Torvalds or Stallman access to this server
# ldap_access_filter = (|(uid=ltorvalds)(uid=rms))



  7. Turn off SELinux on CentOS and RedHat.
     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    setenforce 0



  8. Start the SSSD service.
     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    titleDebian/Ubuntu
    sudo service sssd start


     Div
    classshort-code-block

     Code Block
    languagebash
    themeDJango
    titleCentOS/RedHat
    sudo systemctl start sssd