7.5. Configuring System Services for SSSD
SSSD provides interfaces towards several system services. Most notably:
- Name Service Switch (NSS)
- Pluggable Authentication Modules (PAM)
- OpenSSH
- See Configuring SSSD to Provide a Cache for the OpenSSH Services in the Linux Domain Identity, Authentication, and Policy Guide.
autofs
sudo
7.5.1. Configuring Services: NSS
How SSSD Works with NSS
The Name Service Switch (NSS) service maps system identities and services with configuration sources: it provides a central configuration store where services can look up sources for various configuration and name resolution mechanisms.
SSSD can use NSS as a provider for several types of NSS maps. Most notably:
- User information (the
passwd
map) - Groups (the
groups
map) - Netgroups (the
netgroups
map) - Services (the
services
map)
Prerequisites
- Install SSSD.
# yum install sssd
Configure NSS Services to Use SSSD
- Use the
authconfig
utility to enable SSSD:[root@server ~]# authconfig --enablesssd --update
This updates the/etc/nsswitch.conf
file to enable the following NSS maps to use SSSD:passwd: files sss shadow: files sss group: files sss netgroup: files sss
- Open
/etc/nsswitch.conf
and addsss
to theservices
map line:services: files
sss
Configure SSSD to work with NSS
- Open the
/etc/sssd/sssd.conf
file. - In the
[sssd]
section, make sure that NSS is listed as one of the services that works with SSSD.[sssd] [... file truncated ...] services =
nss
, pam - In the
[nss]
section, configure how SSSD interacts with NSS. For example:[nss] filter_groups = root filter_users = root entry_cache_timeout = 300 entry_cache_nowait_percentage = 75
For a complete list of available options, seeNSS configuration options
in the sssd.conf(5) man page. - Restart SSSD.
# systemctl restart sssd.service
Test That the Integration Works Correctly
Display information about a user with these commands:
id user
getent passwd user
7.5.2. Configuring Services: PAM
Warning
A mistake in the PAM configuration file can lock users out of the system completely. Always back up the configuration files before performing any changes, and keep a session open so that you can revert any changes.
Configure PAM to Use SSSD
- Use the
authconfig
utility to enable SSSD:# authconfig --enablesssdauth --update
This updates the PAM configuration to reference the SSSD modules, usually in the/etc/pam.d/system-auth
and/etc/pam.d/password-auth
files. For example:[... file truncated ...] auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so [... file truncated ...]
For details, see the pam.conf(5) or pam(8) man pages.
Configure SSSD to work with PAM
- Open the
/etc/sssd/sssd.conf
file. - In the
[sssd]
section, make sure that PAM is listed as one of the services that works with SSSD.[sssd] [... file truncated ...] services = nss,
pam
- In the
[pam]
section, configure how SSSD interacts with PAM. For example:[pam] offline_credentials_expiration = 2 offline_failed_login_attempts = 3 offline_failed_login_delay = 5
For a complete list of available options, seePAM configuration options
in the sssd.conf(5) man page. - Restart SSSD.
# systemctl restart sssd.service
Test That the Integration Works Correctly
- Try logging in as a user.
- Use the
sssctl user-checks user_name auth
command to check your SSSD configuration. For details, use thesssctl user-checks --help
command.
7.5.3. Configuring Services: autofs
How SSSD Works with automount
The
automount
utility can mount and unmount NFS file systems automatically (on-demand mounting), which saves system resources. For details on automount
, see autofs in the Storage Administration Guide.
You can configure
automount
to point to SSSD. In this setup:
- When a user attempts to mount a directory, SSSD contacts LDAP to obtain the required information about the current
automount
configuration. - SSSD stores the information required by
automount
in a cache, so that users can mount directories even when the LDAP server is offline.
Configure autofs
to Use SSSD
- Install the autofs package.
# yum install autofs
- Open the
/etc/nsswitch.conf
file. - On the
automount
line, change the location where to look for theautomount
map information fromldap
tosss
:automount: files
sss
Configure SSSD to work with autofs
- Open the
/etc/sssd/sssd.conf
file. - In the
[sssd]
section, addautofs
to the list of services that SSSD manages.[sssd] services = nss,pam,
autofs
- Create a new
[autofs]
section. You can leave it empty.[autofs]
For a list of available options, seeAUTOFS configuration options
in the sssd.conf(5) man page. - Make sure an LDAP domain is available in
sssd.conf
, so that SSSD can read theautomount
information from LDAP. See Section 7.3.2, “Configuring an LDAP Domain for SSSD”.The[domain]
section ofsssd.conf
accepts severalautofs
-related options. For example:[domain/LDAP] [... file truncated ...]
autofs_provider=ldap
ldap_autofs_search_base=cn=automount,dc=example,dc=com
ldap_autofs_map_object_class=automountMap
ldap_autofs_entry_object_class=automount
ldap_autofs_map_name=automountMapName
ldap_autofs_entry_key=automountKey
ldap_autofs_entry_value=automountInformation
For a complete list of available options, seeDOMAIN SECTIONS
in the sssd.conf(5) man page.If you do not provide additionalautofs
options, the configuration depends on the identity provider settings. - Restart SSSD.
# systemctl restart sssd.service
Test the Configuration
- Use the
automount -m
command to print the maps from SSSD.
7.5.4. Configuring Services: sudo
How SSSD Works with sudo
The
sudo
utility gives administrative access to specified users. For more information about sudo
, see The sudo
utility documentation in the System Administrator's Guide.
You can configure
sudo
to point to SSSD. In this setup:
- When a user attempts a
sudo
operation, SSSD contacts LDAP or AD to obtain the required information about the currentsudo
configuration. - SSSD stores the
sudo
information in a cache, so that users can performsudo
operations even when the LDAP or AD server is offline.
SSSD only caches
sudo
rules which apply to the local system, depending on the value of the sudoHost
attribute. See the sssd-sudo(5) man page for details.
Configure sudo
to Use SSSD
- Open the
/etc/nsswitch.conf
file. - Add SSSD to the list on the
sudoers
line.sudoers: files
sss
Configure SSSD to work with sudo
- Open the
/etc/sssd/sssd.conf
file. - In the
[sssd]
section, addsudo
to the list of services that SSSD manages.[sssd] services = nss,pam,
sudo
- Create a new
[sudo]
section. You can leave it empty.[sudo]
For a list of available options, seeSUDO configuration options
in the sssd.conf(5) man page. - Make sure an LDAP or AD domain is available in
sssd.conf
, so that SSSD can read thesudo
information from the directory. For details, see:- the Using Active Directory as an Identity Provider for SSSD section in the Windows Integration Guide.
The[domain]
section for the LDAP or AD domain must include thesesudo
-related parameters:[domain/LDAP_or_AD_domain] ...
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com
Note
Setting Identity Management or AD as the ID provider automatically enables thesudo
provider. In this situation, it is not necessary to specify thesudo_provider
parameter.For a complete list of available options, seeDOMAIN SECTIONS
in the sssd.conf(5) man page.For options available for asudo
provider, see the sssd-ldap(5) man page. - Restart SSSD.
# systemctl restart sssd.service
If you use AD as the provider, you must extend the AD schema to support
sudo
rules. For details, see the sudo
documentation.
For details about providing
sudo
rules in LDAP or AD, see the sudoers.ldap(5) man page.