859
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Ubuntu via sssd/ldap (view source)
Revision as of 16:00, 10 May 2016
, 16:00, 10 May 2016no edit summary
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.
These lines are a translation of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/ubuntu_sssd_on_sme. Many thanks to him for it.
==Backup==
{{Warning box|This process may lock you out of the client machine. Make sure that on the client machine you have a local only user account with a name that is different to any users on the server e.g. 'localadminuser'
It is worth taking a backup of the following files
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
/etc/pam.d/common-session-noninteractive
}}
cp /etc/pam.d/common* /home/myhome/backup
==Assumptions==
In this how-to we assume that:
In this how-to we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
the host name of the SME is "sme-server" and the domain is "domain.tld".
==Configuration of the SME-server==
==Configuration of the SME-server==
There is little configuration required in SME server.
There is little configuration required in SME server.
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give them a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
It is not required to make "auth" member of any group.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the self-created certificates easier.
==Configuration of the client Ubuntu==
==Configuration of the Ubuntu client==
===Installation of the required packages===
===Installation of the required packages===
sudo apt-get install sssd libnss-sss libpam-sss auth-client-config
sudo apt-get install sssd libnss-sss libpam-sss auth-client-config
===Create a symbolic link===
===Create a symbolic link===
There seems to be a bug in the version of sssd from Ubuntu and therefore following links must be created:
There seems to be a bug in the version of sssd from Ubuntu and therefore the following links must be created:
ln -s /usr/lib /usr/modules
ln -s /usr/lib /usr/modules
Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)
Without it, sssd can't manage membership to the groups in LDAP (source http://us.generation-nt.com/bug-599644-sssd-unable-resolve-ldap-group-memberships-help-200739341.html)
===Manage the CA of the SME===
===Managing the CA on SME===
after having installed PHPki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca-certificates.crt).
after having installed PHPki, go to https://www.domain.tld/phpki and download the certificate of authority (ca-certificates.crt) to the client machine .
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
Place a copy of it or of another CA into /etc/ssl/certs/ and give the 644 permissions:
cp ~/download/ca-certificates.crt /etc/ssl/certs/
cp ~/Downloads/ca-certificates.crt /etc/ssl/certs/
chmod 644 /etc/ssl/certs/ca-certificates.crt
chmod 644 /etc/ssl/certs/ca-certificates.crt
===Configure SSSD===
===Configure SSSD===
The configuration of sssd is achieved in a classical way (as for Ubuntu or Fedora for exemple) and is made by the file /ets/sssd/sssd.conf.
The configuration of sssd is achieved in a standard way (as per Ubuntu or Fedora for example) and is made by the file /ets/sssd/sssd.conf.
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. it is possible to set several domains in order of priority.
* At the beginning of this file, the used domain has to be set. In sssd, a domain can be taken as a source of content. It is possible to set several domains in order of priority.
* And deeper in the file, we will add the configuration of the domain
* And deeper in the file, we will add the configuration of the domain
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start:
If the file doesn't exist by default it has to be created and it needs to get the permissions 600 to allow the daemon to start.
On Ubuntu clients using sudo you may need to get a root shell first:
sudo -i
Now we can copy and paste this into the terminal:
cat <<'_EOF' > /etc/sssd/sssd.conf
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
[sssd]
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF
_EOF
Now we need to set the correct permissions on the file:
chmod 600 /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
{{Tip box|Make sure that the file /etc/ssl/certs/ca-certificates.crt contains the CA that has sign the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
{{Tip box|Make sure that the file /etc/ssl/certs/ca-certificates.crt contains the CA that has signed the certificate of the SME (if PHPki is used, a version > 0,82-13 is required).}}
===Configure the system to use SSSD as a source of authentication:===
===Configure the system to use SSSD as a source of authentication:===
And enable this:
And enable this:
sudo auth-client-config -a -p sss
sudo auth-client-config -a -p sss
Now you should be able to reboot and login as a LDAP member
[[Category:Howto]]
[[Category:Howto]]
