top of page
Search
  • parimalanitesh
    • Sep 25, 2022
    • 2 min read

SSSD Integration with 389ds LDAP

SSSD:


The System Security Services Daemon (SSSD) provides access to remote identity and authentication providers. Providers are configured as back ends with SSSD acting as an intermediary between local clients and any configured back-end provider. The local clients connect to SSSD and then SSSD contacts the providers.

You can use this link to setup 389ds server and create users

I) Install SSSD

sudo apt-get install sssd -y

2) If "/etc/sssd/sssd.conf" is not present create a new file and add the below details

[sssd]
config_file_version = 2
services = nss, pam
domains = ldap2
debug_level = 2

[nss]
enum_cache_timeout = 30
filter_users = root
filter_groups = root
reconnection_retries = 3

[pam]
offline_credentials_expiration = 3
offline_failed_login_attempts = 5

[sudo]

[ssh]

[domain/ldap2]
debug_level=3
ldap_auth_disable_tls_never_use_in_production = True
cache_credentials = True
ldap_search_base = dc=openstack,dc=org
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = ldap
ldap_uri = ldap://192.168.1.20:2389
ldap_default_bind_dn = cn=ldap2
ldap_default_authtok = password
#ldap_tls_reqcert = demand
#ldap_tls_cacert = /etc/ssl/certs/ldapcacert.crt
#ldap_tls_cacertdir = /etc/ssl/certs
ldap_search_timeout = 50
ldap_network_timeout = 60
ldap_access_order = filter
ldap_access_filter = (objectClass=posixAccount)

Save the file and exit


Note: Can add multiple domains to integrate multiple ldap servers. By creating a new domain and adding second ldap server details we can achieve multiple domains.


Note: "ldap_auth_disable_tls_never_use_in_production" should be set to true if TLS is not enabled on LDAP server and should give certificates if TLS is enalbed on LDAP Servers


3) Try to remove the exiting db

cd /var/lib/sss/db/
rm -rf *

4) Restart sssd services

	systemctl restart sssd.service

5) Check the files inside /var/lib/sss/db . New files should be created


6) Try to login with ldap users using ssh command. Ldapuser should be logged in succussfully.


7) One more way to check is using getent passwd | grep "username" should list the password


57 views0 comments

Recent Posts

See All

Multiple LDAP Integration with Openstack Keystone

I've got a task to integrate Multiple LDAP with Openstack Keystone. Below are the same steps which you have to follow for External LDAP integration with Openstack Keystone also. I followed below steps

Openldap Server configuration and user creation

OpenLdap OpenLDAP is a free, open-source implementation of the Lightweight Directory Access Protocol (LDAP) developed by the OpenLDAP Project. Installation You can install openldap with the following

Post: Blog2_Post
bottom of page