(sssd-with-ldap)= # How to set up SSSD with LDAP SSSD can also use LDAP for authentication, authorisation, and user/group information. In this section we will configure a host to authenticate users from an OpenLDAP directory. ## Prerequisites and assumptions For this setup, we need: - An existing OpenLDAP server with SSL enabled and using the RFC2307 schema for users and groups - A client host where we will install the necessary tools and login as a user from the LDAP server ## Install necessary software Install the following packages: ```bash sudo apt install sssd-ldap ldap-utils ``` ## Configure SSSD Create the `/etc/sssd/sssd.conf` configuration file, with permissions `0600` and ownership `root:root`, and add the following content: ```text [sssd] config_file_version = 2 domains = example.com [domain/example.com] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap01.example.com cache_credentials = True ldap_search_base = dc=example,dc=com ``` Make sure to start the `sssd` service: ```bash sudo systemctl start sssd.service ``` > **Note**: > `sssd` will use `START_TLS` by default for authentication requests against the LDAP server (the **`auth_provider`**), but not for the **`id_provider`**. If you want to also enable `START_TLS` for the `id_provider`, specify `ldap_id_use_start_tls = true`. ## Automatic home directory creation To enable automatic home directory creation, run the following command: ```bash sudo pam-auth-update --enable mkhomedir ``` ## Check SSL setup on the client The client must be able to use `START_TLS` when connecting to the LDAP server, with full certificate checking. This means: - The client host knows and trusts the CA that signed the LDAP server certificate, - The server certificate was issued for the correct host (`ldap01.example.com` in this guide), - The time is correct on all hosts performing the TLS connection, and - That neither certificate (CA or server's) expired. If using a custom CA, an easy way to have a host trust it is to place it in `/usr/local/share/ca-certificates/` with a `.crt` extension and run `sudo update-ca-certificates`. Alternatively, you can edit `/etc/ldap/ldap.conf` and point `TLS_CACERT` to the CA public key file. > **Note**: > You may have to restart `sssd` after these changes: `sudo systemctl restart sssd` Once that is all done, check that you can connect to the LDAP server using verified SSL connections: ```bash $ ldapwhoami -x -ZZ -H ldap://ldap01.example.com anonymous ``` and for `ldaps` (if enabled in `/etc/default/slapd`): ```bash $ ldapwhoami -x -H ldaps://ldap01.example.com ``` The `-ZZ` parameter tells the tool to use `START_TLS`, and that it must not fail. If you have LDAP logging enabled on the server, it will show something like this: ``` slapd[779]: conn=1032 op=0 STARTTLS slapd[779]: conn=1032 op=0 RESULT oid= err=0 text= slapd[779]: conn=1032 fd=15 TLS established tls_ssf=256 ssf=256 slapd[779]: conn=1032 op=1 BIND dn="" method=128 slapd[779]: conn=1032 op=1 RESULT tag=97 err=0 text= slapd[779]: conn=1032 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.3 slapd[779]: conn=1032 op=2 WHOAMI slapd[779]: conn=1032 op=2 RESULT oid= err=0 text= ``` `START_TLS` with `err=0` and `TLS established` is what we want to see there, and, of course, the `WHOAMI` extended operation. ## Final verification In this example, the LDAP server has the following user and group entry we are going to use for testing: ``` dn: uid=john,ou=People,dc=example,dc=com uid: john objectClass: inetOrgPerson objectClass: posixAccount cn: John Smith sn: Smith givenName: John mail: john@example.com userPassword: johnsecret uidNumber: 10001 gidNumber: 10001 loginShell: /bin/bash homeDirectory: /home/john dn: cn=john,ou=Group,dc=example,dc=com cn: john objectClass: posixGroup gidNumber: 10001 memberUid: john dn: cn=Engineering,ou=Group,dc=example,dc=com cn: Engineering objectClass: posixGroup gidNumber: 10100 memberUid: john ``` The user `john` should be known to the system: ```bash ubuntu@ldap-client:~$ getent passwd john john:*:10001:10001:John Smith:/home/john:/bin/bash ubuntu@ldap-client:~$ id john uid=10001(john) gid=10001(john) groups=10001(john),10100(Engineering) ``` And we should be able to authenticate as `john`: ```bash ubuntu@ldap-client:~$ sudo login ldap-client login: john Password: Welcome to Ubuntu Focal Fossa (development branch) (GNU/Linux 5.4.0-24-generic x86_64) (...) Creating directory '/home/john'. john@ldap-client:~$ ```