Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 5. Configuring SSSD to use LDAP and require TLS authentication

Complete this procedure to configure your Red Hat Enterprise Linux (RHEL) system as an OpenLDAP client.

Use the following client configuration:

  • The RHEL system authenticates users stored in an OpenLDAP user account database.
  • The RHEL system uses the System Security Services Daemon (SSSD) service to retrieve user data.
  • The RHEL system communicates with the OpenLDAP server over a TLS-encrypted connection.
Note

You can alternatively use this procedure to configure your RHEL system as a client of a Red Hat Directory Server.

Prerequisites

  • The OpenLDAP server is installed and configured with user information.
  • You have root permissions on the host you are configuring as the LDAP client.
  • On the host you are configuring as the LDAP client, the /etc/sssd/sssd.conf file has been created and configured to specify ldap as the autofs_provider and the id_provider.
  • You have a PEM-formatted copy of the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server certificate, stored in a local file named core-dirsrv.ca.pem.

Procedure

  1. Install the requisite packages: 

    # dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir

  2. Switch the authentication provider to sssd: 

    # authselect select sssd with-mkhomedir

  3. Copy the core-dirsrv.ca.pem file containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the /etc/openldap/certs folder. 

    # cp core-dirsrv.ca.pem /etc/openldap/certs

  4. Add the URL and suffix of your LDAP server to the /etc/openldap/ldap.conf file: 

    URI ldap://ldap-server.example.com/
BASE dc=example,dc=com

  5. In the /etc/openldap/ldap.conf file, add a line pointing the TLS_CACERT parameter to /etc/openldap/certs/core-dirsrv.ca.pem: 

    # When no CA certificates are specified the Shared System Certificates
# are in use. In order to have these available along with the ones specified
# by TLS_CACERTDIR one has to include them explicitly:
TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pem

  6. In the /etc/sssd/sssd.conf file, add your environment values to the ldap_uri and ldap_search_base parameters and set the ldap_id_use_start_tls to True: 

    [domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap-server.example.com/
ldap_search_base = dc=example,dc=com
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/openldap/certs
ldap_tls_reqcert = allow

[sssd]
services = nss, pam, autofs
domains = default

[nss]
homedir_substring = /home
…

  7. In /etc/sssd/sssd.conf, specify the TLS authentication requirement by modifying the ldap_tls_cacert and ldap_tls_reqcert values in the [domain] section: 

    …
cache_credentials = True
ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem
ldap_tls_reqcert = hard

  8. Change the permissions on the /etc/sssd/sssd.conf file: 

    # chmod 600 /etc/sssd/sssd.conf

  9. Restart and enable the SSSD service and the oddjobd daemon: 

    # systemctl restart sssd oddjobd
# systemctl enable sssd oddjobd

  10. Optional: If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL to communicate using these protocols: 

    # update-crypto-policies --set LEGACY

    For more details, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the update-crypto-policies(8) man page on your system.

Verification

  • Verify you can retrieve user data from your LDAP server by using the id command and specifying an LDAP user: 

    # id ldap_user
uid=17388(ldap_user) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)

The system administrator can now query users from LDAP using the id command. The command returns a correct user ID and group membership.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.