7.3. Configuring Identity and Authentication Providers for SSSD
7.3.1. Introduction to Identity and Authentication Providers for SSSD
SSSD Domains. Identity and Authentication Providers
Identity and authentication providers are configured as domains in the SSSD configuration file. A single domain can be used as:
- An identity provider (for user information)
- An authentication provider (for authentication requests)
- An access control provider (for authorization requests)
- A combination of these providers (if all the corresponding operations are performed within a single server)
You can configure multiple domains for SSSD. At least one domain must be configured, otherwise SSSD will not start.
The
access_provider
option in the /etc/sssd/sssd.conf
file sets the access control provider used for the domain. By default, the option is set to permit
, which always allows all access. See the sssd.conf(5) man page for details.
Proxy Providers
A proxy provider works as an intermediary relay between SSSD and resources that SSSD would otherwise not be able to use. When using a proxy provider, SSSD connects to the proxy service, and the proxy loads the specified libraries.
Using a proxy provider, you can configure SSSD to use:
- Alternative authentication methods, such as a fingerprint scanner
- Legacy systems, such as NIS
- A local system account defined in
/etc/passwd
and remote authentication
Available Combinations of Identity and Authentication Providers
Identity Provider | Authentication Provider |
---|---|
Identity Management [a] | Identity Management [a] |
Active Directory [a] | Active Directory [a] |
LDAP | LDAP |
LDAP | Kerberos |
proxy | proxy |
proxy | LDAP |
proxy | Kerberos |
[a]
An extension of the LDAP provider type.
|
Note that this guide does not describe all provider types. See the following additional resources for more information:
- To configure an SSSD client for Identity Management, Red Hat recommends using the
ipa-client-install
utility. See Installing and Uninstalling Identity Management Clients in the Linux Domain Identity, Authentication, and Policy Guide. - To configure an SSSD client for Identity Management manually without
ipa-client-install
, see Installing and Uninstalling an Identity Management Client Manually in Red Hat Knowledgebase. - To configure Active Directory to be used with SSSD, see Using Active Directory as an Identity Provider for SSSD in the Windows Integration Guide.
7.3.2. Configuring an LDAP Domain for SSSD
Prerequisites
- Install SSSD.
# yum install sssd
Configure SSSD to Discover the LDAP Domain
- Open the
/etc/sssd/sssd.conf
file. - Create a
[domain]
section for the LDAP domain:[domain/LDAP_domain_name]
- Specify if you want to use the LDAP server as an identity provider, an authentication provider, or both.
- To use the LDAP server as an identity provider, set the
id_provider
option toldap
. - To use the LDAP server as an authentication provider, set the
auth_provider
option toldap
.
For example, to use the LDAP server as both:[domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap
- Specify the LDAP server. Choose one of the following:
- To explicitly define the server, specify the server's URI with the
ldap_uri
option:[domain/LDAP_domain_name] id_provider = ldap auth_provider = ldap
ldap_uri = ldap://ldap.example.com
Theldap_uri
option also accepts the IP address of the server. However, using an IP address instead of the server name might cause TLS/SSL connections to fail. See Configuring an SSSD Provider to Use an IP Address in the Certificate Subject Name in Red Hat Knowledgebase. - To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
Optionally, specify backup servers in theldap_backup_uri
option as well. - Specify the LDAP server's search base in the
ldap_search_base
option:[domain/LDAP_domain_name] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
- Specify a way to establish a secure connection to the LDAP server. The recommended method is to use a TLS connection. To do this, enable the
ldap_id_use_start_tls
option, and use these CA certificate-related options:ldap_tls_reqcert
specifies if the client requests a server certificate and what checks are performed on the certificateldap_tls_cacert
specifies the file containing the certificate
[domain/LDAP_domain_name] id_provider = ldap auth_provider = ldap ldap_uri = ldap://ldap.example.com ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
Note
SSSD always uses an encrypted channel for authentication, which ensures that passwords are never sent over the network unencrypted. Withldap_id_use_start_tls = true
, identity lookups (such as commands based on theid
orgetent
utilities) are also encrypted. - Add the new domain to the
domains
option in the[sssd]
section. The option lists the domains that SSSD queries. For example:domains =
LDAP_domain_name
, domain2
Additional Resources
The above procedure shows the basic options for an LDAP provider. For more details, see:
- the sssd.conf(5) man page, which describes global options available for all types of domains
- the sssd-ldap(5) man page, which describes options specific to LDAP
7.3.3. Configuring the Files Provider for SSSD
The
files
provider mirrors the content of the /etc/passwd
and /etc/groups
files to make users and groups from these files available through SSSD. This enables you to set the sss
database as the first source for users and groups in the /etc/nsswitch.conf
file:
passwd: sss files group: sss files
With this setting, and if the
files
provider is configured in /etc/sssd/sssd.conf
, Red Hat Enterprise Linux sends all queries for users and groups first to SSSD. If SSSD is not running or SSSD cannot find the requested entry, the system falls back to look up users and groups in the local files. If you store most users and groups in a central database, such as an LDAP directory, this setting increases speed of users and groups lookups.
Prerequisites
- Install SSSD.
# yum install sssd
Configure SSSD to Discover the Files Domain
- Add the following section to the
/etc/sssd/sssd.conf
file:[domain/files] id_provider = files
- Optionally, set the
sss
database as the first source for user and group lookups in the/etc/sssd/sssd.conf
file:passwd: sss files group: sss files
- Configure the system in the way that the
sssd
service starts when the system boots:# systemctl enable sssd
- Restart the
sssd
service:# systemctl restart sssd
Additional Resources
The above procedure shows the basic options for the
files
provider. For more details, see:
- the sssd.conf(5) man page, which describes global options available for all types of domains
- the sssd-files(5) man page, which describes options specific to the
files
provider
7.3.4. Configuring a Proxy Provider for SSSD
Prerequisites
- Install SSSD.
# yum install sssd
Configure SSSD to Discover the Proxy Domain
- Open the
/etc/sssd/sssd.conf
file. - Create a
[domain]
section for the proxy provider:[domain/proxy_name]
- To specify an authentication provider:
- Set the
auth_provider
option toproxy
. - Use the
proxy_pam_target
option to specify a PAM service as the authentication proxy.
For example:[domain/proxy_name]
auth_provider = proxy
proxy_pam_target = sssdpamproxy
Important
Ensure that the proxy PAM stack does not recursively includepam_sss.so
. - To specify an identity provider:
- Set the
id_provider
option toproxy
. - Use the
proxy_lib_name
option to specify an NSS library as the identity proxy.
For example:[domain/proxy_name]
id_provider = proxy
proxy_lib_name = nis
- Add the new domain to the
domains
option in the[sssd]
section. The option lists the domains that SSSD queries. For example:domains =
proxy_name
, domain2
Additional Resources
The above procedure shows the basic options for a proxy provider. For more details, see the sssd.conf(5) man page, which describes global options available for all types of domains and other proxy-related options.
7.3.5. Configuring a Kerberos Authentication Provider
Prerequisites
- Install SSSD.
# yum install sssd
Configure SSSD to Discover the Kerberos Domain
- Open the
/etc/sssd/sssd.conf
file. - Create a
[domain]
section for the SSSD domain.[domain/Kerberos_domain_name]
- Specify an identity provider. For example, for details on configuring an LDAP identity provider, see Section 7.3.2, “Configuring an LDAP Domain for SSSD”.If the Kerberos principal names are not available in the specified identity provider, SSSD constructs the principals using the format username@REALM.
- Specify the Kerberos authentication provider details:
- Set the
auth_provider
option tokrb5
.[domain/Kerberos_domain_name] id_provider = ldap
auth_provider = krb5
- Specify the Kerberos server:
- To explicitly define the server, use the
krb5_server
option. The options accepts the host name or IP address of the server:[domain/Kerberos_domain_name] id_provider = ldap auth_provider = krb5
krb5_server = kdc.example.com
- To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
Optionally, specify backup servers in thekrb5_backup_server
option as well. - If the Change Password service is not running on the KDC specified in
krb5_server
orkrb5_backup_server
, use thekrb5_passwd
option to specify the server where the service is running.[domain/Kerberos_domain_name] id_provider = ldap auth_provider = krb5 krb5_server = kdc.example.com krb5_backup_server = kerberos.example.com
krb5_passwd = kerberos.admin.example.com
Ifkrb5_passwd
is not used, SSSD uses the KDC specified inkrb5_server
orkrb5_backup_server
. - Use the
krb5_realm
option to specify the name of the Kerberos realm.[domain/Kerberos_domain_name] id_provider = ldap auth_provider = krb5 krb5_server = kerberos.example.com krb5_backup_server = kerberos2.example.com krb5_passwd = kerberos.admin.example.com
krb5_realm = EXAMPLE.COM
- Add the new domain to the
domains
option in the[sssd]
section. The option lists the domains that SSSD queries. For example:domains =
Kerberos_domain_name
, domain2
Additional Resources
The above procedure shows the basic options for a Kerberos provider. For more details, see:
- the sssd.conf(5) man page, which describes global options available for all types of domains
- the sssd-krb5(5) man page, which describes options specific to Kerberos