22.8 About the System Security Services Daemon

22.8.1 Configuring an SSSD Server

The System Security Services Daemon (SSSD) feature provides access on a client system to remote identity and authentication providers. The SSSD acts as an intermediary between local clients and any back-end provider that you configure.

The benefits of configuring SSSD include:

For more information, see the authconfig(8), pam_sss(8), sssd(8), and sssd.conf(5) manual pages and https://fedorahosted.org/sssd/.

22.8.1 Configuring an SSSD Server

To configure an SSSD server:

  1. Install the sssd and sssd-client packages:

    # yum install sssd sssd-client
  2. Edit the /etc/sssd/sssd.conf configuration file and configure the sections to support the required services, for example:

    [sssd]
    config_file_version = 2
    domains = LDAP
    services = nss, pam
    
    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldap://ldap.mydom.com
    ldap_search_base = dc=mydom,dc=com
    
    auth_provider = krb5
    krb5_server = krbsvr.mydom.com
    krb5_realm = MYDOM.COM
    cache_credentials = true
    
    min_id = 5000
    max_id = 25000
    enumerate = false
    
    [nss]
    filter_groups = root
    filter_users = root
    reconnection_retries = 3
    entry_cache_timeout = 300
    
    [pam]
    reconnection_retries = 3
    offline_credentials_expiration = 2
    offline_failed_login_attempts = 3
    offline_failed_login_delay = 5

    The [sssd] section contains configuration settings for SSSD monitor options, domains, and services. The SSSD monitor service manages the services that SSSD provides.

    The services entry defines the supported services, which should include nss for the Name Service Switch and pam for Pluggable Authentication Modules.

    The domains entry specifies the name of the sections that define authentication domains.

    The [domain/LDAP] section defines a domain for an LDAP identity provider that uses Kerberos authentication. Each domain defines where user information is stored, the authentication method, and any configuration options. SSSD can work with LDAP identity providers such as OpenLDAP, Red Hat Directory Server, IPA, and Microsoft Active Directory, and it can use either native LDAP or Kerberos authentication.

    The id_provider entry specifies the type of provider (in this example, LDAP). ldap_uri specifies a comma-separated list of the Universal Resource Identifiers (URIs) of the LDAP servers, in order of preference, to which SSSD can connect. ldap_search_base specifies the base distinguished name (dn) that SSSD should use when performing LDAP user operations on a relative distinguished name (RDN) such as a common name (cn).

    The auth_provider entry specifies the authentication provider (in this example, Kerberos). krb5_server specifies a comma-separated list of Kerberos servers, in order of preference, to which SSSD can connect. krb5_realm specifies the Kerberos realm. cache_credentials specifies if SSSD caches user credentials such as tickets, session keys, and other identifying information to support offline authentication and single sign-on.

    Note

    To allow SSSD to use Kerberos authentication with an LDAP server, you must configure the LDAP server to use both Simple Authentication and Security Layer (SASL) and the Generic Security Services API (GSSAPI). For more information about configuring SASL and GSSAPI for OpenLDAP, see http://www.openldap.org/doc/admin24/sasl.html.

    The min_id and max_id entries specify upper and lower limits on the values of user and group IDs. enumerate specifies whether SSSD caches the complete list of users and groups that are available on the provider. The recommended setting is False unless a domain contains relatively few users or groups.

    The [nss] section configures the Name Service Switch (NSS) module that integrates the SSS database with NSS. The filter_users and filter_groups entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS. reconnection_retries specifies the number of times that SSSD should attempt to reconnect if a data provider crashes. enum_cache_timeout specifies the number of seconds for which SSSD caches user information requests.

    The [pam] section configures the PAM module that integrates SSS with PAM. The offline_credentials_expiration entry specifies the number of days for which to allow cached logins if the authentication provider is offline. offline_failed_login_attempts specifies how many failed login attempts are allowed if the authentication provider is offline. offline_failed_login_delay specifies how many minutes after offline_failed_login_attempts failed login attempts that a new login attempt is permitted.

  3. Change the mode of /etc/sssd/sssd.conf to 0600:

    # chmod 0600 /etc/sssd/sssd.conf
  4. Enable the SSSD service:

    # authconfig --update --enablesssd –-enablesssdauth
    Note

    If you edit /etc/sssd/sssd.conf, use this command to update the service.

    The –-enablesssd option updates /etc/nsswitch.conf to support SSS.

    The –-enablesssdauth option updates /etc/pam.d/system-auth to include the required pam_sss.so entries to support SSSD.