Ubuntu LDAP Authentication with SSSD

authentication
,

Ubuntu LDAP authentication with SSSD

While building infrastructure for computer club in my campus, I decided to use LDAP as authentication server. Everyone can use LDAP to log into every service our club have, isn’t that convenient.

Our main server runs Ubuntu Server, and I want to use LDAP to authenticate everyone, so they can have their own home directory, and else. But, when I googled “ubuntu ldap authentication”, most content online told me to install packages like libnss-ldap, libpam-ldap, and most of these content doesn’t tell you how to connect to LDAP server using TLS, or how to connect to LDAP server using binddn, so frustrating.

Thankfully, I found an article online, telling you how to connect to LDAP server using SSSD, and you can connect to LDAP with TLS and authentication. It’s much more stable than connecting to LDAP server using method above, and it’s configuration file is simple, too.

SSSD

SSSD stands for System Security Services Daemon.

SSSD’s homepage says: Its primary function is to provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It provides several interfaces, including NSS and PAM modules or a D-Bus interface.

We are going to authenticate our user using a remote server, and we need to be able to use PAM to let user log into system. So far, SSSD got everything we need!

Set-up

Install these packages: sssd libpam-sss libnss-sss, install sssd-tools if you need debugging.

Create a file /etc/sssd/sssd.conf, and below is SSSD configuration, if you want to use LDAP authentication.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[sssd]
config_file_version = 2
# services mean these services will be started when sssd itself starts
services = nss, pam
# domains need to match domain below, that's where you set your authentication backend, in our case, LDAP
domains = <YOUR_DOMAIN>

[nss]
# if you don't want specific user/group to login into system, add below
filter_users = root
filter_groups = root

[pam]
# we are not going to need to use pam module for now, leave it empty.

[domain/<YOUR_DOMAIN>]
ldap_schema = rfc2307

# LDAP's basedn
ldap_search_base = <SEARCH_BASE>
id_provider = ldap
auth_provider = ldap

# if your binddn have enough permission, your user can change their password in the system
chpass_provider = ldap

# LDAP server uri
ldap_uri = ldaps://<LDAP_HOST>:636

# if you want to connect to your LDAP server using LDAPS, then you need to provide credentials
ldap_tls_cert = <CERT_FILE_PATH>
ldap_tls_key = <PRIVATE_KEY_FILE_PATH>

# enable enumerate means you can use `getent passwd` to verify if your SSSD is working
enumerate = true

# LDAP binddn and password
ldap_default_bind_dn = <BINDDN>
ldap_default_authtok = <SOME_DANGEROUS_PASSWORD>

Save the file, and set permission to 0400, chown to root:root, then systemctl enable sssd && systemctl start sssd

If everything is set correctly, run getent passwd, then you should be able to see your accounts on LDAP server.

To let PAM use SSSD authentication, run pam-auth-update, then enable SSS authentication.

All done! It’s just that simple, and much easier than using libpam-ldap.