Client Authentication:Ubuntu via sssd/ldap
Introduction
This how-to shows how to configure a SME-server (>=8b6) and a client Ubuntu for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.
The main advantage in comparaison to nss_ldap is that the authentication information stays in the cache and the authentication can therefore still work even in offline mode (when the server not available).
Nevertheless, the creation of a local user with the admin rights is recommended for the emergency case.
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.
Backup
cp /etc/pam.d/common* /home/myhome/backup
Assumptions
In this how-to we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
Configuration of the SME-server
There is little configuration required in SME server.
- The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give them a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
- In addition, it is recommended to install and configure PHPki in order to make the managing of the self-created certificates easier.
Configuration of the Ubuntu client
Installation of the required packages
sudo apt-get install sssd libnss-sss libpam-sss auth-client-config
Create a symbolic link
There seems to be a bug in the version of sssd from Ubuntu and therefore the following links must be created:
ln -s /usr/lib /usr/modules
Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)
Managing the CA on SME
after having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine .
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/ chmod 644 /etc/ssl/certs/ca-certificates.crt
Configure SSSD
The configuration of sssd is achieved in a standard way (as per Ubuntu or Fedora for example) and is made by the file /ets/sssd/sssd.conf.
- At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. It is possible to set several domains in order of priority.
- And deeper in the file, we will add the configuration of the domain
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start. On Ubuntu clients using sudo you may need to get a root shell first:
sudo -i
Now we can copy and paste this into the terminal:
cat <<'_EOF' > /etc/sssd/sssd.conf [sssd] config_file_version = 2 services = nss, pam domains = LDAP [nss] [pam] [domain/LDAP] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://sme-server.domain.tld ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld ldap_default_authtok = something_very_secret ldap_default_authtok_type = password ldap_search_base = dc=domain,dc=tld ldap_user_search_base = ou=Users,dc=domain,dc=tld ldap_group_search_base = ou=Groups,dc=domain,dc=tld ldap_user_object_class = inetOrgPerson ldap_user_gecos = cn ldap_tls_reqcert = hard ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt ldap_id_use_start_tls = true # uncomment below if the SME is a “iPasserelle” #ldap_user_shell = desktopLoginShell # comment below if the SME is a “iPasserelle” override_shell = /bin/bash cache_credentials = true enumerate = true # It is possible to filter the logins via a LDAP-filer # by commenting the both lines below. # In this exemple, only the users member of the group netusers # will be valid on this host. # posixMemberOF is a parameter only for a iPasserelle #access_provider = ldap #ldap_access_filter = (|(posixMemberOf=admins)(uid=backup)) _EOF
Now we need to set the correct permissions on the file:
chmod 600 /etc/sssd/sssd.conf
Configure the system to use SSSD as a source of authentication:
Setup to use the tool auth-client-config:
We can copy and paste in a terminal to add following lines:
cat <<'_EOF' > /etc/auth-client-config/profile.d/sss [sss] nss_passwd= passwd: compat sss nss_group= group: compat sss nss_shadow= shadow: compat nss_netgroup= netgroup: nis pam_auth= auth [success=3 default=ignore] pam_unix.so nullok_secure try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth [success=1 default=ignore] pam_sss.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so pam_account= account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so pam_password= password sufficient pam_unix.so obscure sha512 password sufficient pam_sss.so use_authtok password required pam_deny.so pam_session= session required pam_mkhomedir.so skel=/etc/skel/ umask=0077 session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_sss.so session required pam_unix.so _EOF
And enable this:
sudo auth-client-config -a -p sss
Now you should be able to reboot and login as a LDAP member.
We should be able to restore the original pam config files with
sudo auth-client-config -a -p sss -r