SSSD:
The System Security Services Daemon (SSSD) provides access to remote identity and authentication providers. Providers are configured as back ends with SSSD acting as an intermediary between local clients and any configured back-end provider. The local clients connect to SSSD and then SSSD contacts the providers.
You can use this link to setup 389ds server and create users
I) Install SSSD
sudo apt-get install sssd -y
2) If "/etc/sssd/sssd.conf" is not present create a new file and add the below details
[sssd]
config_file_version = 2
services = nss, pam
domains = ldap2
debug_level = 2
[nss]
enum_cache_timeout = 30
filter_users = root
filter_groups = root
reconnection_retries = 3
[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 5
[sudo]
[ssh]
[domain/ldap2]
debug_level=3
ldap_auth_disable_tls_never_use_in_production = True
cache_credentials = True
ldap_search_base = dc=openstack,dc=org
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://192.168.1.20:2389
ldap_default_bind_dn = cn=ldap2
ldap_default_authtok = password
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/ssl/certs/ldapcacert.crt
#ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)
Save the file and exit
Note: Can add multiple domains to integrate multiple ldap servers. By creating a new domain and adding second ldap server details we can achieve multiple domains.
Note: "ldap_auth_disable_tls_never_use_in_production" should be set to true if TLS is not enabled on LDAP server and should give certificates if TLS is enalbed on LDAP Servers
3) Try to remove the exiting db
cd /var/lib/sss/db/
rm -rf *
4) Restart sssd services
systemctl restart sssd.service
5) Check the files inside /var/lib/sss/db . New files should be created
6) Try to login with ldap users using ssh command. Ldapuser should be logged in succussfully.
7) One more way to check is using getent passwd | grep "username" should list the password