The software described in this documentation is either in Extended Support or Sustaining Support. See https://www.oracle.com/us/support/library/enterprise-linux-support-policies-069172.pdf for more information.
Oracle recommends that you upgrade the software described by this documentation as soon as possible.
To configure an SSSD server:
Install the
sssd
andsssd-client
packages:#
yum install sssd sssd-client
Edit the
/etc/sssd/sssd.conf
configuration file and configure the sections to support the required services, for example:[sssd] config_file_version = 2 domains = LDAP services = nss, pam [domain/LDAP] id_provider = ldap ldap_uri = ldap://ldap.mydom.com ldap_search_base = dc=mydom,dc=com auth_provider = krb5 krb5_server = krbsvr.mydom.com krb5_realm = MYDOM.COM cache_credentials = true min_id = 5000 max_id = 25000 enumerate = false [nss] filter_groups = root filter_users = root reconnection_retries = 3 entry_cache_timeout = 300 [pam] reconnection_retries = 3 offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
The
[sssd]
section contains configuration settings for SSSD monitor options, domains, and services. The SSSD monitor service manages the services that SSSD provides.The
services
entry defines the supported services, which should includenss
for the Name Service Switch andpam
for Pluggable Authentication Modules.The
domains
entry specifies the name of the sections that define authentication domains.The
[domain/LDAP]
section defines a domain for an LDAP identity provider that uses Kerberos authentication. Each domain defines where user information is stored, the authentication method, and any configuration options. SSSD can work with LDAP identity providers such as OpenLDAP, Red Hat Directory Server, IPA, and Microsoft Active Directory, and it can use either native LDAP or Kerberos authentication.The
id_provider
entry specifies the type of provider (in this example, LDAP).ldap_uri
specifies a comma-separated list of the Universal Resource Identifiers (URIs) of the LDAP servers, in order of preference, to which SSSD can connect.ldap_search_base
specifies the base distinguished name (dn
) that SSSD should use when performing LDAP user operations on a relative distinguished name (RDN) such as a common name (cn
).The
auth_provider
entry specifies the authentication provider (in this example, Kerberos).krb5_server
specifies a comma-separated list of Kerberos servers, in order of preference, to which SSSD can connect.krb5_realm
specifies the Kerberos realm.cache_credentials
specifies if SSSD caches user credentials such as tickets, session keys, and other identifying information to support offline authentication and single sign-on.NoteTo allow SSSD to use Kerberos authentication with an LDAP server, you must configure the LDAP server to use both Simple Authentication and Security Layer (SASL) and the Generic Security Services API (GSSAPI). For more information about configuring SASL and GSSAPI for OpenLDAP, see http://www.openldap.org/doc/admin24/sasl.html.
The
min_id
andmax_id
entries specify upper and lower limits on the values of user and group IDs.enumerate
specifies whether SSSD caches the complete list of users and groups that are available on the provider. The recommended setting isFalse
unless a domain contains relatively few users or groups.The
[nss]
section configures the Name Service Switch (NSS) module that integrates the SSS database with NSS. Thefilter_users
andfilter_groups
entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS.reconnection_retries
specifies the number of times that SSSD should attempt to reconnect if a data provider crashes.enum_cache_timeout
specifies the number of seconds for which SSSD caches user information requests.The
[pam]
section configures the PAM module that integrates SSS with PAM. Theoffline_credentials_expiration
entry specifies the number of days for which to allow cached logins if the authentication provider is offline.offline_failed_login_attempts
specifies how many failed login attempts are allowed if the authentication provider is offline.offline_failed_login_delay
specifies how many minutes afteroffline_failed_login_attempts
failed login attempts that a new login attempt is permitted.Change the mode of
/etc/sssd/sssd.conf
to 0600:#
chmod 0600 /etc/sssd/sssd.conf
Enable the SSSD service:
#
authconfig --update --enablesssd --enablesssdauth
NoteIf you edit
/etc/sssd/sssd.conf
, use this command to update the service.The --enablesssd option updates
/etc/nsswitch.conf
to support SSS.The --enablesssdauth option updates
/etc/pam.d/system-auth
to include the requiredpam_sss.so
entries to support SSSD.