/
Configuring LDAP Auth for Linux

You are viewing an earlier version of the admin guide. For the latest version, please visit EmpowerID Admin Guide v7.211.0.0.

Configuring LDAP Auth for Linux

Aug 28, 2022

As a central source of user information, the EmpowerID Virtual Directory Server (VDS) can be leveraged as an authentication or identity provider for Linux servers. By making a few configuration changes, organizations can give users single sign-on capabilities to one or more Linux machines without requiring those users have accounts on those machines. In this way, organizations can simplify the processes for managing Linux users as the need for creating and maintaining accounts across multiple systems is negated. With the EmpowerID VDS, this information can be fully managed from one location—the EmpowerID Identity Warehouse.

Configuring LDAP authentication for Linux involves making a few configuration changes on each Linux machine for which you want to enable the feature. These changes include the following:

  • Installing the System Security Services Daemon (SSSD)

  • Configuring NSS services for SSSD

  • Editing the LDAP configuration file for your LDAP domain

  • Modifying PAM files

  • Creating a working SSSD configuration file

  • Starting the SSSD service

Prerequisites

Before configuring LDAP authentication for your Linux servers, you should install the EmpowerID Virtual Directory server. For more information, see Installing and Configuring the EmpowerID Virtual Directory Server.

To configure LDAP Auth for Linux

 

This topic demonstrates how to configure LDAP authentication for Debian/Ubuntu and CentOS/RedHat distributions.

  1. Log into the target Linux server as an administrative user and install SSSD for your particular Linux distribution.

  2. Next, open the nsswitch.conf file and verify SSSD. Change the file as needed so that you see the following values:

  3. Open the ldap.conf file and add the following to the end of the file to instruct SSSD to use the specified LDAP directory as the auth provider. This information consists of the mechanism for TLS, the URI and port for your LDAP server, as well as the search base.



  4. Next, configure PAM files for SSSD. In Debian/Ubuntu, this involves multiple files, whereas in CentOS/RedHat, you edit a single PAM file.



  5. Create an sssd.config file and give the sudo user read and write permissions to it. The procedure is the same for each distribution discussed in this topic.



  6. Open the sssd.conf file and add the following content to it. When doing so, replace serverFQDN:port with the FQDN and port of your EmpowerID LDAP server.



  7. Turn off SELinux on CentOS and RedHat.



  8. Start the SSSD service.