Difference between revisions of "SSSD"

From Nuclear Physics Group Documentation Pages
Jump to navigationJump to search
 
Line 1: Line 1:
 +
Starting with CentOS6, remote account login authentication is performed using SSSD. Configuring SSSD to authenticate to an LDAP server can be tricky, but the following instructions work perfectly.
 +
 
== Configuring SSSD ==
 
== Configuring SSSD ==
1. yum install sssd libsss_sudo
 
 
  
2. authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
+
# Make sure the proper packages are installed
 +
  yum install sssd libsss_sudo
  
 +
# Use authconfig to enable the proper settings to allow authentication via SSSD
 +
  authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
  
3. /etc/sssd/sssd.conf:
+
# Modify /etc/sssd/sssd.conf to reflect the following settings:
  
 
   [sssd]
 
   [sssd]
Line 34: Line 37:
  
  
4. /etc/nsswitch.conf:
+
# Modify /etc/nsswitch.conf to reflect the following settings:
  
 
   passwd    files sss
 
   passwd    files sss
Line 42: Line 45:
  
  
5. service sssd restart
+
# Restart the sssd service to enable changes:
 +
 
 +
  service sssd restart
 +
 
  
 +
6. To test the configuration, try requesting user information:
  
6. Test settings: id (username)
+
  id <username>

Revision as of 15:04, 9 August 2013

Starting with CentOS6, remote account login authentication is performed using SSSD. Configuring SSSD to authenticate to an LDAP server can be tricky, but the following instructions work perfectly.

Configuring SSSD

  1. Make sure the proper packages are installed
  yum install sssd libsss_sudo
  1. Use authconfig to enable the proper settings to allow authentication via SSSD
  authconfig --enablesssd --enablesssdauth --enablelocauthorize --update
  1. Modify /etc/sssd/sssd.conf to reflect the following settings:
  [sssd]
  config_file_version = 2
  services = nss, pam
  domains = default
  [nss]
  filter_users = root,ldap,named,avahi,haldaemon,dbus,radiusd,news,nscd
  [domain/default]
  ldap_tls_reqcert = never
  auth_provider = ldap
  ldap_schema = rfc2307bis
  krb5_realm = EXAMPLE.COM
  ldap_search_base = dc=physics,dc=unh,dc=edu
  id_provider = ldap
  ldap_id_use_start_tls = False
  chpass_provider = ldap
  ldap_uri = ldaps://einstein.unh.edu
  krb5_kdcip = kerberos.example.com
  cache_credentials = True
  ldap_tls_cacertdir = /etc/openldap/cacerts
  entry_cache_timeout = 600
  ldap_network_timeout = 3
  ldap_access_filter = (&(objectclass=shadowaccount)(objectclass=posixaccount))


  1. Modify /etc/nsswitch.conf to reflect the following settings:
  passwd     files sss
  shadow     files sss
  group      files sss
  sudoers    files sss


  1. Restart the sssd service to enable changes:
  service sssd restart


6. To test the configuration, try requesting user information:

  id <username>