Install the sssd and sssd-client packages:

# yum install sssd sssd-client

Edit the /etc/sssd/sssd.conf configuration file and configure the sections to support the required services, for example:

[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam

[domain/LDAP]
id_provider = ldap
ldap_uri = ldap://ldap.mydom.com
ldap_search_base = dc=mydom,dc=com

auth_provider = krb5
krb5_server = krbsvr.mydom.com
krb5_realm = MYDOM.COM
cache_credentials = true

min_id = 5000
max_id = 25000
enumerate = false

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
entry_cache_timeout = 300

[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

The [sssd] section contains configuration settings for SSSD monitor options, domains, and services. The SSSD monitor service manages the services that SSSD provides.

The services entry defines the supported services, which should include nss for the Name Service Switch and pam for Pluggable Authentication Modules.

The domains entry specifies the name of the sections that define authentication domains.

The [domain/LDAP] section defines a domain for an LDAP identity provider that uses Kerberos authentication. Each domain defines where user information is stored, the authentication method, and any configuration options. SSSD can work with LDAP identity providers such as OpenLDAP, Red Hat Directory Server, IPA, and Microsoft Active Directory, and it can use either native LDAP or Kerberos authentication.

The id_provider entry specifies the type of provider (in this example, LDAP). ldap_uri specifies a comma-separated list of the Universal Resource Identifiers (URIs) of the LDAP servers, in order of preference, to which SSSD can connect. ldap_search_base specifies the base distinguished name (dn) that SSSD should use when performing LDAP user operations on a relative distinguished name (RDN) such as a common name (cn).

The auth_provider entry specifies the authentication provider (in this example, Kerberos). krb5_server specifies a comma-separated list of Kerberos servers, in order of preference, to which SSSD can connect. krb5_realm specifies the Kerberos realm. cache_credentials specifies if SSSD caches user credentials such as tickets, session keys, and other identifying information to support offline authentication and single sign-on.

The min_id and max_id entries specify upper and lower limits on the values of user and group IDs. enumerate specifies whether SSSD caches the complete list of users and groups that are available on the provider. The recommended setting is False unless a domain contains relatively few users or groups.

The [nss] section configures the Name Service Switch (NSS) module that integrates the SSS database with NSS. The filter_users and filter_groups entries prevent NSS retrieving information about the specified users and groups being retrieved from SSS. reconnection_retries specifies the number of times that SSSD should attempt to reconnect if a data provider crashes. enum_cache_timeout specifies the number of seconds for which SSSD caches user information requests.

The [pam] section configures the PAM module that integrates SSS with PAM. The offline_credentials_expiration entry specifies the number of days for which to allow cached logins if the authentication provider is offline. offline_failed_login_attempts specifies how many failed login attempts are allowed if the authentication provider is offline. offline_failed_login_delay specifies how many minutes after offline_failed_login_attempts failed login attempts that a new login attempt is permitted.

Change the mode of /etc/sssd/sssd.conf to 0600:

# chmod 0600 /etc/sssd/sssd.conf

Enable the SSSD service:

# authconfig --update --enablesssd --enablesssdauth

The --enablesssd option updates /etc/nsswitch.conf to support SSS.

The --enablesssdauth option updates /etc/pam.d/system-auth to include the required pam_sss.so entries to support SSSD.