Chapter 11. Migrating authentication from nslcd to SSSD

11.1. Migrating a RHEL client from nslcd to SSSD
Copiar enlace

As the nss-pam-ldapd package has been removed from RHEL, Red Hat recommends migrating to SSSD and its ldap provider, which replaces the functionality of the nslcd service. The following procedure describes how to configure SSSD to authenticate LDAP users on a client that was previously configured to use an nss-pam-ldap authentication configuration.

Prerequisites

Your RHEL client is on RHEL 8 or RHEL 9.
You have previously configured the RHEL client to authenticate to an LDAP directory server with the nslcd service.
The LDAP directory service uses a schema defined in RFC-2307.

Procedure

Back up the current authentication configuration:

authselect apply-changes -b --backup=ldap-configuration-backup

# authselect apply-changes -b --backup=ldap-configuration-backup

Copy to Clipboard

Toggle word wrap

Install SSSD packages:

yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-common

# yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-common

Copy to Clipboard

Toggle word wrap

Stop and disable the nslcd and nscd services:

systemctl stop nslcd nscd
systemctl disable nslcd nscd

# systemctl stop nslcd nscd
# systemctl disable nslcd nscd

Copy to Clipboard

Toggle word wrap

Configure authentication with SSSD:

authselect select sssd with-mkhomedir --force

# authselect select sssd with-mkhomedir --force

Copy to Clipboard

Toggle word wrap

Set the necessary ownership and permissions for the SSSD configuration file:

chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf

# chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf

Copy to Clipboard

Toggle word wrap

Open the /etc/sssd/sssd.conf file for editing.

Enter the following configuration, replacing values such as example.com and dc=example,dc=com with values that are appropriate for your environment:

[sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE.COM
debug_level = 6

[domain/EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server.example.com/
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = CN=binddn,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = <bind_account_password>
cache_credentials = True

[sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE.COM
debug_level = 6

[domain/EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server.example.com/
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = CN=binddn,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = <bind_account_password>
cache_credentials = True

Copy to Clipboard

Toggle word wrap

Note

You might need to specify the LDAP schema in your SSSD configuration:

If you are using the RFC-2307bis schema in your directory server, add the following line to the [domain/EXAMPLE.COM] section:

ldap_schema = rfc2307bis

ldap_schema = rfc2307bis

Copy to Clipboard

Toggle word wrap

If you are using a Microsoft Active Directory server, add the following line to the [domain/EXAMPLE.COM] section to enable LDAP-based authentication:

ldap_schema = ad

ldap_schema = ad

Copy to Clipboard

Toggle word wrap

If you need Kerberos authentication, Red Hat recommends joining the RHEL client to your AD domain with the realm command, which automatically configures the SSSD service.

Enable and start the SSSD service:

systemctl enable sssd
systemctl start sssd

# systemctl enable sssd
# systemctl start sssd

Copy to Clipboard

Toggle word wrap

Verification

Ensure you can retrieve information about your LDAP users:

id ldapuser
 uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser)

getent passwd ldapuser
ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bash

# id ldapuser
 uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser)

# getent passwd ldapuser
ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bash

Copy to Clipboard

Toggle word wrap

Ensure you can log in as an LDAP user:

ssh -l ldapuser localhost
ldapuser@localhost's password:
Last login: Tue Dec 07 19:34:35 2021 from localhost
-sh-4.2$

# ssh -l ldapuser localhost
ldapuser@localhost's password:
Last login: Tue Dec 07 19:34:35 2021 from localhost
-sh-4.2$

Copy to Clipboard

Toggle word wrap

Note

If you need to restore your original LDAP configuration with nslcd and nscd, use the following commands:

authselect backup-restore=ldap-configuration-backup
systemctl stop sssd && systemctl disable sssd
systemctl start nslcd nscd
systemctl enable nslcd nscd

# authselect backup-restore=ldap-configuration-backup
# systemctl stop sssd && systemctl disable sssd
# systemctl start nslcd nscd
# systemctl enable nslcd nscd

Copy to Clipboard

Toggle word wrap

11.2. sssd.conf option equivalents of nslcd.conf options
Copiar enlace

To help with migrating from nslcd to SSSD, the following table shows common options from the nslcd.conf configuration file and their equivalent options in the sssd.conf configuration file.

Expand

Table 11.1. sssd.conf option equivalents of nslcd.conf options
`nslcd.conf` option	`sssd.conf` option	Description
`uid`	No equivalent	The user id with which the daemon should be run. By default, SSSD runs as the `sssd` user.
`gid`	No equivalent	The group id with which the daemon should be run. By default, SSSD runs as the `sssd` private group.
`uri`	`ldap_uri`	The URI of the LDAP server in the following format: `ldap[s]://<host>[:port]`
`base`	`ldap_search_base`	The distinguished name of the search base.
`binddn`	`ldap_default_bind_dn`	The default bind DN to use for performing LDAP operations
`bindpw`	`ldap_default_authtok`	The authentication token of the default bind DN. Only clear text passwords are currently supported.
`ssl start_tls`	`ldap_id_use_start_tls = true`	The authentication token of the default bind DN. Only clear text passwords are currently supported.
`tls_reqcert`	`ldap_tls_reqcert`	Specifies what checks to perform on a server-supplied certificate.
`tls_cacertfile`	`ldap_tls_cacert`	The file that contains certificates for all of the Certificate Authorities
`tls_cacertdir`	`ldap_tls_cacertdir`	The path of a directory that contains Certificate Authority certificates in separate individual files.
`base passwd`	`ldap_user_search_base`	An optional base DN, search scope and LDAP filter to restrict LDAP searches for users.
`base group`	`ldap_group_search_base`	An optional base DN, search scope and LDAP filter to restrict LDAP searches for groups.

Chapter 11. Migrating authentication from nslcd to SSSD

11.1. Migrating a RHEL client from nslcd to SSSD
Copiar enlace

11.2. sssd.conf option equivalents of nslcd.conf options
Copiar enlace

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 11. Migrating authentication from nslcd to SSSD

11.1. Migrating a RHEL client from nslcd to SSSDCopiar enlaceEnlace copiado en el portapapeles!

11.2. sssd.conf option equivalents of nslcd.conf optionsCopiar enlaceEnlace copiado en el portapapeles!

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Hacer que el código abierto sea más inclusivo

Acerca de Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

11.1. Migrating a RHEL client from nslcd to SSSD
Copiar enlace

11.2. sssd.conf option equivalents of nslcd.conf options
Copiar enlace