SSSD Is the system security services daemon. It is the bridge between a unix system and resolving users through LDAP.

Configure SSSD

NOTE: We strongly advise you have (configured TLS)[howto-ssl.html] on your LDAP server first

SSSD has a concept of domains and provides. Here is an example configuration that can be altered and should work with 389-ds-base.

services = nss, pam, ssh, sudo
config_file_version = 2
domains = default

homedir_substring = /home

# If you have large groups (IE 50+ members), you should set this to True
ignore_group_members = False
cache_credentials = True
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307bis
ldap_search_base = dc=example,dc=com
# We strongly recommend ldaps here.
ldap_uri = ldaps://
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/ldap.crt
ldap_access_filter = (|(memberof=cn=<login group>,ou=Groups,dc=example,dc=com))
enumerate = false
access_provider = ldap
ldap_user_member_of = memberof
ldap_user_gecos = cn
ldap_user_uuid = nsUniqueId
ldap_group_uuid = nsUniqueId
# This is really important as it allows SSSD to respect nsAccountLock
ldap_account_expire_policy = rhds
ldap_access_order = filter, expire
# Setup for ssh keys
ldap_user_ssh_public_key = sshPublicKey

Enable SSSD to start with systemctl

systemctl enable sssd

Configure NSS

Ensure the following lines are present in /etc/nsswitch.conf

passwd:     files sss
shadow:     files sss
group:      files sss
netgroup:   files sss
sudoers: files sss

You should now be able to resolve a user with “getent password ” from ldap.

Configure PAM

WARNING: Altering pam may lock you out of your system. Always maintain a second sudo/root shell while altering these files, and keep backups

Consult your distriubtion documenation for this. Generally you want to add:

auth        sufficient use_first_pass
account     [default=bad success=ok user_unknown=ignore]
password    sufficient use_authtok
session     optional

For Fedora/Centos, you should alter /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth-ac to match the following:

auth        required
auth        sufficient try_first_pass
auth        requisite uid >= 1000 quiet_success
auth        sufficient use_first_pass
auth        required

account     required
account     sufficient
account     sufficient uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass local_users_only retry=3 authtok_type=
password    sufficient sha512 shadow try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
-session    optional
session     optional umask=0077
session     [success=1 default=ignore] service in crond quiet use_uid
session     required
session     optional
Last modified on 11 April 2017