389 Directory Server 1.3.x LDAP client authentication

Last time we did a multi-master replication setup, see 389 Directory Server 1.3.x Replication.

Setting up LDAP client authentication on RHEL7 is next on the list. Let's install and configure SSSD today.

[root@ldap01 ~]# yum -y install sssd-ldap
...

Since we don't allow anonymous binds (nsslapd-allow-anonymous-access: rootdse), we need a special proxy user with no password expiration for this to work.

dirsrv@ldap01 $ PAPW="$(pwmake 192)"
dirsrv@ldap01 $ echo -n "$PAPW" > /etc/dirsrv/.papw
dirsrv@ldap01 $ chmod 400 /etc/dirsrv/.papw
dirsrv@ldap01 $ ldapadd -D "cn=Directory Manager" -y /etc/dirsrv/.dmpw -x -ZZ
dn: cn=proxyagent,ou=Special Users,dc=unix,dc=mycompany,dc=com
objectclass: top
objectclass: organizationalRole
objectClass: simpleSecurityObject
cn: proxyagent
userPassword: $(pwdhash -s PBKDF2_SHA256 $(< /etc/dirsrv/.papw))
passwordExpirationTime: 20380119031407Z
^D
adding new entry "cn=proxyagent,ou=Special Users,dc=unix,dc=mycompany,dc=com"

With the proxyagent user in place we can configure SSSD now.

[root@ldap01 ~]# cat << EOF > /etc/sssd/sssd.conf
[sssd]
services = nss, pam
domains = LDAP

[nss]
filter_users = root
filter_groups = root
entry_cache_nowait_percentage = 75

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/LDAP]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://ldap01.mycompany.com,ldap://ldap02.mycompany.com
ldap_search_base = dc=unix,dc=mycompany,dc=com
ldap_default_bind_dn = cn=proxyagent,ou=Special Users,dc=unix,dc=mycompany,dc=com
ldap_default_authtok = $(< /etc/dirsrv/.papw)

ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/openldap/certs/CA.crt
ldap_id_use_start_tls = true
enumerate = true
EOF

[root@ldap01 ~]# chmod 600 /etc/sssd/sssd.conf
[root@ldap01 ~]# authconfig --enablesssd --enablesssdauth --enablemkhomedir --update
[root@ldap01 ~]# systemctl enable sssd && systemctl start sssd

[root@ldap01 ~]# getent passwd smiddy6
smiddy6:x:1125:1001:Shrinkers Smiddy, smiddy6@mycompany.com:/home/smiddy6:/bin/bash
[root@ldap01 ~]# getent group uat
uat:*:1002:
[root@ldap01 ~]# ssh smiddy6@$(hostname -s)
smiddy6@ldap01's password:
Password expired. Change your password now.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user smiddy6.
Current Password: ...

Very good.

Links

• Red Hat Enterprise Linux / 7 / System-Level Authentication Guide / Configuring System Services for SSSD
• Red Hat Enterprise Linux / 7 / System-Level Authentication Guide / Configuring Identity and Authentication Providers for SSSD