Red Hat SummitChapter 11. Migrating authentication from nslcd to SSSD
11.1. Migrating a RHEL client from nslcd to SSSD
As the nss-pam-ldapd package has been removed from RHEL, Red Hat recommends migrating to SSSD and its ldap provider, which replaces the functionality of the nslcd service. The following procedure describes how to configure SSSD to authenticate LDAP users on a client that was previously configured to use an nss-pam-ldap authentication configuration.
Prerequisites
- Your RHEL client is on RHEL 8 or RHEL 9.
-
You have previously configured the RHEL client to authenticate to an LDAP directory server with the
nslcdservice. - The LDAP directory service uses a schema defined in RFC-2307.
Procedure
Back up the current authentication configuration:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow authselect apply-changes -b --backup=ldap-configuration-backup
# authselect apply-changes -b --backup=ldap-configuration-backupInstall
SSSDpackages:Copy to Clipboard Copied! Toggle word wrap Toggle overflow yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-common
# yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-commonStop and disable the
nslcdandnscdservices:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl stop nslcd nscd systemctl disable nslcd nscd
# systemctl stop nslcd nscd # systemctl disable nslcd nscdConfigure authentication with
SSSD:Copy to Clipboard Copied! Toggle word wrap Toggle overflow authselect select sssd with-mkhomedir --force
# authselect select sssd with-mkhomedir --forceSet the necessary ownership and permissions for the
SSSDconfiguration file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow chown root:root /etc/sssd/sssd.conf chmod 600 /etc/sssd/sssd.conf
# chown root:root /etc/sssd/sssd.conf # chmod 600 /etc/sssd/sssd.conf-
Open the
/etc/sssd/sssd.conffile for editing. Enter the following configuration, replacing values such as
example.comanddc=example,dc=comwith values that are appropriate for your environment:Copy to Clipboard Copied! Toggle word wrap Toggle overflow [sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE.COM debug_level = 6 [domain/EXAMPLE.COM] id_provider = ldap auth_provider = ldap ldap_uri = ldap://server.example.com/ ldap_search_base = dc=example,dc=com ldap_default_bind_dn = CN=binddn,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = <bind_account_password> cache_credentials = True
[sssd] config_file_version = 2 services = nss, pam domains = EXAMPLE.COM debug_level = 6 [domain/EXAMPLE.COM] id_provider = ldap auth_provider = ldap ldap_uri = ldap://server.example.com/ ldap_search_base = dc=example,dc=com ldap_default_bind_dn = CN=binddn,DC=example,DC=com ldap_default_authtok_type = password ldap_default_authtok = <bind_account_password> cache_credentials = TrueNoteYou might need to specify the LDAP schema in your
SSSDconfiguration:If you are using the RFC-2307bis schema in your directory server, add the following line to the
[domain/EXAMPLE.COM]section:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ldap_schema = rfc2307bis
ldap_schema = rfc2307bisIf you are using a Microsoft Active Directory server, add the following line to the
[domain/EXAMPLE.COM]section to enable LDAP-based authentication:Copy to Clipboard Copied! Toggle word wrap Toggle overflow ldap_schema = ad
ldap_schema = adIf you need Kerberos authentication, Red Hat recommends joining the RHEL client to your AD domain with the
realmcommand, which automatically configures theSSSDservice.Enable and start the
SSSDservice:Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl enable sssd systemctl start sssd
# systemctl enable sssd # systemctl start sssd
Verification
Ensure you can retrieve information about your LDAP users:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow id ldapuser getent passwd ldapuser
# id ldapuser uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser) # getent passwd ldapuser ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bashEnsure you can log in as an LDAP user:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow ssh -l ldapuser localhost
# ssh -l ldapuser localhost ldapuser@localhost's password: Last login: Tue Dec 07 19:34:35 2021 from localhost -sh-4.2$
If you need to restore your original LDAP configuration with nslcd and nscd, use the following commands:
authselect backup-restore=ldap-configuration-backup systemctl stop sssd && systemctl disable sssd systemctl start nslcd nscd systemctl enable nslcd nscd
# authselect backup-restore=ldap-configuration-backup
# systemctl stop sssd && systemctl disable sssd
# systemctl start nslcd nscd
# systemctl enable nslcd nscd11.2. sssd.conf option equivalents of nslcd.conf options
To help with migrating from nslcd to SSSD, the following table shows common options from the nslcd.conf configuration file and their equivalent options in the sssd.conf configuration file.
nslcd.conf option | sssd.conf option | Description |
|---|---|---|
|
| No equivalent |
The user id with which the daemon should be run. By default, SSSD runs as the |
|
| No equivalent |
The group id with which the daemon should be run. By default, SSSD runs as the |
|
|
|
The URI of the LDAP server in the following format: |
|
|
| The distinguished name of the search base. |
|
|
| The default bind DN to use for performing LDAP operations |
|
|
| The authentication token of the default bind DN. Only clear text passwords are currently supported. |
|
|
| The authentication token of the default bind DN. Only clear text passwords are currently supported. |
|
|
| Specifies what checks to perform on a server-supplied certificate. |
|
|
| The file that contains certificates for all of the Certificate Authorities |
|
|
| The path of a directory that contains Certificate Authority certificates in separate individual files. |
|
|
| An optional base DN, search scope and LDAP filter to restrict LDAP searches for users. |
|
|
| An optional base DN, search scope and LDAP filter to restrict LDAP searches for groups. |
Additional resources
-
nslcd.conf(5)andsssd-ldap(5)man pages on your system
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}