Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 11. Migrating authentication from nslcd to SSSD
11.1. Migrating a RHEL client from nslcd to SSSD
As the nss-pam-ldapd package has been removed from RHEL, Red Hat recommends migrating to SSSD and its ldap provider, which replaces the functionality of the nslcd service. The following procedure describes how to configure SSSD to authenticate LDAP users on a client that was previously configured to use an nss-pam-ldap authentication configuration.
Prerequisites
- Your RHEL client is on RHEL 8 or RHEL 9.
-
You have previously configured the RHEL client to authenticate to an LDAP directory server with the
nslcdservice. - The LDAP directory service uses a schema defined in RFC-2307.
Procedure
Back up the current authentication configuration:
# authselect apply-changes -b --backup=ldap-configuration-backupInstall
SSSDpackages:# yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-commonStop and disable the
nslcdandnscdservices:# systemctl stop nslcd nscd # systemctl disable nslcd nscdConfigure authentication with
SSSD:# authselect select sssd with-mkhomedir --forceSet the necessary ownership and permissions for the
SSSDconfiguration file:# chown root:root /etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf-
Open the
/etc/sssd/sssd.conffile for editing. Enter the following configuration, replacing values such as
example.comanddc=example,dc=comwith values that are appropriate for your environment:[sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE.COM debug_level = 6 [domain/EXAMPLE.COM] id_provider = ldap auth_provider = ldap ldap_uri = ldap://server.example.com/ ldap_search_base = dc=example,dc=com ldap_default_bind_dn = CN=binddn,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = <bind_account_password> cache_credentials = TrueNoteYou might need to specify the LDAP schema in your
SSSDconfiguration:If you are using the RFC-2307bis schema in your directory server, add the following line to the
[domain/EXAMPLE.COM]section:ldap_schema = rfc2307bisIf you are using a Microsoft Active Directory server, add the following line to the
[domain/EXAMPLE.COM]section to enable LDAP-based authentication:ldap_schema = adIf you need Kerberos authentication, Red Hat recommends joining the RHEL client to your AD domain with the
realmcommand, which automatically configures theSSSDservice.Enable and start the
SSSDservice:# systemctl enable sssd # systemctl start sssd
Verification
Ensure you can retrieve information about your LDAP users:
# id ldapuser uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser) # getent passwd ldapuser ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bashEnsure you can log in as an LDAP user:
# ssh -l ldapuser localhost ldapuser@localhost's password: Last login: Tue Dec 07 19:34:35 2021 from localhost -sh-4.2$
If you need to restore your original LDAP configuration with nslcd and nscd, use the following commands:
# authselect backup-restore=ldap-configuration-backup
# systemctl stop sssd && systemctl disable sssd
# systemctl start nslcd nscd
# systemctl enable nslcd nscd11.2. sssd.conf option equivalents of nslcd.conf options
To help with migrating from nslcd to SSSD, the following table shows common options from the nslcd.conf configuration file and their equivalent options in the sssd.conf configuration file.
nslcd.conf option | sssd.conf option | Description |
|---|---|---|
|
| No equivalent |
The user id with which the daemon should be run. By default, SSSD runs as the |
|
| No equivalent |
The group id with which the daemon should be run. By default, SSSD runs as the |
|
|
|
The URI of the LDAP server in the following format: |
|
|
| The distinguished name of the search base. |
|
|
| The default bind DN to use for performing LDAP operations |
|
|
| The authentication token of the default bind DN. Only clear text passwords are currently supported. |
|
|
| The authentication token of the default bind DN. Only clear text passwords are currently supported. |
|
|
| Specifies what checks to perform on a server-supplied certificate. |
|
|
| The file that contains certificates for all of the Certificate Authorities |
|
|
| The path of a directory that contains Certificate Authority certificates in separate individual files. |
|
|
| An optional base DN, search scope and LDAP filter to restrict LDAP searches for users. |
|
|
| An optional base DN, search scope and LDAP filter to restrict LDAP searches for groups. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}