22.4.10.1 Configuring an LDAP Client to use SSSD

The Authentication Configuration GUI and authconfig configure access to LDAP via sss entries in /etc/nsswitch.conf so you must configure the System Security Services Daemon (SSSD) on the LDAP client.

To configure an LDAP client to use SSSD:

  1. Install the sssd and sssd-client packages:

    # yum install sssd sssd-client

  2. Edit the /etc/sssd/sssd.conf configuration file and configure the sections to support the required services, for example:

    [sssd]
config_file_version = 2
domains = default
services = nss, pam

[domain/default]
id_provider = ldap
ldap_uri = ldap://ldap.mydom.com
ldap_id_use_start_tls = true
ldap_search_base = dc=mydom,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts

auth_provider = krb5
chpass_provider = krb5
krb5_realm = MYDOM.COM
krb5_server = krbsvr.mydom.com
krb5_kpasswd = krbsvr.mydom.com
cache_credentials = true

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.mydom.com
ldap_search_base = dc=mydom,dc=com

auth_provider = krb5
krb5_realm = MYDOM.COM
krb5_server = kdcsvr.mydom.com
cache_credentials = true

min_id = 5000
max_id = 25000
enumerate = false

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

  3. Change the mode of /etc/sssd/sssd.conf to 0600:

    # chmod 0600 /etc/sssd/sssd.conf

  4. Enable the SSSD service:

    # authconfig --update --enablesssd --enablesssdauth

For more information, see the sssd.conf(5) manual page and Section 22.8, “About the System Security Services Daemon”.

Copyright © 2013, 2019, Oracle and/or its affiliates. All rights reserved. Legal Notices