24.4.10.1 Configuring an LDAP Client to use SSSD

The Authentication Configuration GUI and authconfig configure access to LDAP via sss entries in /etc/nsswitch.conf so you must configure the System Security Services Daemon (SSSD) on the LDAP client.

To configure an LDAP client to use SSSD:

  1. Install the sssd and sssd-client packages:

    # yum install sssd sssd-client
  2. Edit the /etc/sssd/sssd.conf configuration file and configure the sections to support the required services, for example:

    [sssd]
    config_file_version = 2
    domains = default
    services = nss, pam
    
    [domain/default]
    id_provider = ldap
    ldap_uri = ldap://ldap.mydom.com
    ldap_id_use_start_tls = true
    ldap_search_base = dc=mydom,dc=com
    ldap_tls_cacertdir = /etc/openldap/cacerts
    
    auth_provider = krb5
    chpass_provider = krb5
    krb5_realm = MYDOM.COM
    krb5_server = krbsvr.mydom.com
    krb5_kpasswd = krbsvr.mydom.com
    cache_credentials = true
    
    [domain/LDAP]
    id_provider = ldap
    ldap_uri = ldap://ldap.mydom.com
    ldap_search_base = dc=mydom,dc=com
    
    auth_provider = krb5
    krb5_realm = MYDOM.COM
    krb5_server = kdcsvr.mydom.com
    cache_credentials = true
    
    min_id = 5000
    max_id = 25000
    enumerate = false
    
    [nss]
    filter_groups = root
    filter_users = root
    reconnection_retries = 3
    entry_cache_timeout = 300
    
    [pam]
    reconnection_retries = 3
    offline_credentials_expiration = 2
    offline_failed_login_attempts = 3
    offline_failed_login_delay = 5
  3. Change the mode of /etc/sssd/sssd.conf to 0600:

    # chmod 0600 /etc/sssd/sssd.conf
  4. Enable the SSSD service:

    # authconfig --update --enablesssd --enablesssdauth

For more information, see the sssd.conf(5) manual page and Section 24.8, “About the System Security Services Daemon”.