Client Authentication:Debian via sssd/ldap
Introduction
This how-to shows how to configure a SME-server (>=8b6) and a client Debian (method tested with Debian squeeze) for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.
The main advantage in comparaison to nss_ldap is that the authentication informations stay in the cache and the authentication can therefore furter work, even in offline mode (when the server not available).
Nevertheless, the creation of a local user with the admin rights is recommanded for the emergency case.
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/debian_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
Configuration of the SME-server
There is quite no necessary configuration of the SME.
- The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
- In addition, it is recommended to install and configure PHPki in order to make the managing of the self-created certificates easier.
Configuration of the client Debian
Manage the CA of the SME
after having installed PHPki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca-certificates.crt).
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
cp ~/download/ca-certificates.crt /etc/ssl/certs/ chmod 644 /etc/ssl/certs/ca-certificates.crt
Install the required packages
apt-get install sssd libnss-sss libpam-sss ca-certificates
Configure sssd
The configuration is made by the file /ets/sssd/sssd.conf.
- At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.
- And deeper in the file, we will add the configuration of the domain
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] [pam] [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://sme-server.domain.tld ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld ldap_default_authtok = something_very_secret ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=Users,dc=domain,dc=tld ldap_group_search_base = ou=Groups,dc=domain,dc=tld ldap_user_object_class = inetOrgPerson ldap_user_gecos = cn ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true # uncomment below if the SME is a âiPasserelleâ #ldap_user_shell = desktopLoginShell # comment below if the SME is a âiPasserelleâ override_shell = /bin/bash cache_credentials = true enumerate = true # It is possible to filter the logins via a LDAP-filer # by commenting the both lines below. # In this exemple, only the users member of the group netusers # will be valid on this host. # posixMemberOF is a parameter only for a iPasserelle #access_provider = ldap #ldap_access_filter = (|(posixMemberOf=admins)(uid=backup)) _EOF chmod 600 /etc/sssd/sssd.conf
nsswitch
Edit /etc/nsswitch.conf and add sss for passwd, group and shadow:
passwd: compat sss group: compat sss shadow: compat sss
pam
cd /etc/pam.d cp -a common-account common-account.orig cat <<'EOF'> common-account # # /etc/pam.d/common-account - authorization settings common to all services # account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_mkhomedir.so skel=/etc/skel umask=0077 account [default=bad success=ok user_unknown=ignore] pam_sss.so EOF cp -a common-auth common-auth.orig cat <<'EOF'> common-auth # # /etc/pam.d/common-auth - authentication settings common to all services # # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_sss.so auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) EOF cp -a common-password common-password.orig cat <<'EOF'> common-password # # /etc/pam.d/common-password - password-related modules common to all services # here are the per-package modules (the "Primary" block) password sufficient pam_sss.so password [success=1 default=ignore] pam_unix.so obscure try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) EOF cp -a common-session common-session.orig cat <<'EOF'> common-session # # /etc/pam.d/common-session - session-related modules common to all services # # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_mkhomedir.so skel=/etc/skel umask=0077 session optional pam_sss.so session required pam_unix.so EOF
Enable at statup
update-rc.d sssd enable /etc/init.d/sssd start