Client Authentication:Gentoo via sssd/ldap

Introduction

This how-to shows how to configure a SME-server (>=8b6) and a client Gentoo for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME.

The main advantage in comparaison to nss_ldap is that the authentication informations stay in the cache and the authentication can therefore furter work, even in offline mode (when the server not available).

Nevertheless, the creation of a local user with the admin rights is recommanded for the emergency case.

These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/gentoo_sssd_on_sme. Many thanks to him for it.

In this how-to we assume that:

the host name of the SME is "sme-server" and the domain is "domain.tld".

Configuration of the SME-server

There is quite no necessary configuration of the SME.

• The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).

It is not required to make "auth" member of any group.

• In addition, it is recommended to install and configure PHPki in order to make the managing of the self-created certificates easier.

Configuration of the client Gentoo

Install the required packages

First of all, install the requides package:

emerge sys-auth/sssd

If needed, install the trusted root certificates:

emerge app-misc/ca-certificates

Manage the CA of the SME

after having installed PHPki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca-certificates.crt).

Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:

cp ~/download/ca-certificates.crt /etc/ssl/certs/
chmod 644 /etc/ssl/certs/ca-certificates.crt

Configure sssd

The configuration of sssd is achieved in a classical way (as for Ubuntu or Fedora for exemple) and is made by the file /ets/sssd/sssd.conf.

• At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.
• And deeper in the file, we will add the configuration of the domain

If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:

cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]

[pam]

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a “iPasserelle”
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a “iPasserelle”
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))

_EOF

chmod 600 /etc/sssd/sssd.conf

The best way to check that sssd is running is to start it in interactiv mode:

sssd -i -d 5

When all is OK, start sssd and configure its autostart:

/etc/init.d/sssd start
rc-update add sssd default

Configure nss

To allow nss to use sssd, edit /etc/nsswitch. conf and add sss as a source for users and groups.

[...]
passwd:     files sss
shadow:     files sss
group:      files sss
[...]
netgroup:   files sss

After it, it is possible to check that it works:

getent passwd

should list the LDAP users. If it doen't work, you should start debugging by running sssd in interactiv mode (with sssd -i -d 5 for exemple).

Configure pam

pam must be configured on order to use sssd as a source too:

cp -a /etc/pam.d/system-auth /etc/pam.d/system-auth.pre_sssd
cat <<'EOF'> /etc/pam.d/system-auth
auth        required    pam_env.so
auth        sufficient  pam_unix.so try_first_pass likeauth nullok
auth        sufficient  pam_sss.so use_first_pass
auth        required    pam_deny.so
 
account     required    pam_unix.so
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required    pam_permit.so
 
password    required    pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password    sufficient  pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password    sufficient  pam_sss.so use_authtok
password    required    pam_deny.so
 
session     required    pam_limits.so
session     required    pam_env.so
session     optional    pam_mkhomedir.so skel=/etc/skel umask=0077
session     required    pam_unix.so
session     optional    pam_sss.so
session     optional    pam_permit.so
 
EOF