Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
Chapter 4. Configuring SSSD to use LDAP and require TLS authentication
Configure the System Security Services Daemon (SSSD) to authenticate users against standalone LDAP servers. Enforcing TLS encryption ensures secure communication, protecting identity data from interception during retrieval.
The SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector, namely a man-in-the-middle (MITM) attack which could allow you to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, you should enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file.
4.1. An OpenLDAP client using SSSD to retrieve data from LDAP in an encrypted way
SSSD operates as a client to retrieve identity data from OpenLDAP servers. This configuration utilizes encrypted connections and supports authentication through either Kerberos tickets or standard LDAP passwords.
Configuring SSSD with LDAP is a complex procedure requiring a high level of expertise in SSSD and LDAP. Consider using an integrated and automated solution such as Active Directory or Identity Management (IdM) instead. For details about IdM, see Planning Identity Management.
4.2. Configuring SSSD to use LDAP and require TLS authentication
Establish a secure connection between Red Hat Enterprise Linux (RHEL) and an OpenLDAP server by configuring SSSD to enforce TLS. This process ensures that all identity data retrieval and authentication requests occur over an encrypted channel.
Use the following client configuration:
- The RHEL system authenticates users stored in an OpenLDAP user account database.
- The RHEL system uses the System Security Services Daemon (SSSD) service to retrieve user data.
- The RHEL system communicates with the OpenLDAP server over a TLS-encrypted connection.
You can alternatively use this procedure to configure your RHEL system as a client of a Red Hat Directory Server.
Prerequisites
- The OpenLDAP server is installed and configured with user information.
- You have root permissions on the host you are configuring as the LDAP client.
-
On the host you are configuring as the LDAP client, the
/etc/sssd/sssd.conffile has been created and configured to specifyldapas theautofs_providerand theid_provider. -
You have a PEM-formatted copy of the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server certificate, stored in a local file named
core-dirsrv.ca.pem.
Procedure
Install the requisite packages:
# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedirSwitch the authentication provider to
sssd:# authselect select sssd with-mkhomedirCopy the
core-dirsrv.ca.pemfile containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the/etc/openldap/certsfolder.# cp core-dirsrv.ca.pem /etc/openldap/certsAdd the URL and suffix of your LDAP server to the
/etc/openldap/ldap.conffile:URI ldap://ldap-server.example.com/ BASE dc=example,dc=comIn the
/etc/openldap/ldap.conffile, add a line pointing the TLS_CACERT parameter to/etc/openldap/certs/core-dirsrv.ca.pem:# When no CA certificates are specified the Shared System Certificates # are in use. In order to have these available along with the ones specified # by TLS_CACERTDIR one has to include them explicitly: TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pemIn the
/etc/sssd/sssd.conffile, add your environment values to theldap_uriandldap_search_baseparameters and set theldap_id_use_start_tlstoTrue:[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap-server.example.com/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home …In
/etc/sssd/sssd.conf, specify the TLS authentication requirement by modifying theldap_tls_cacertandldap_tls_reqcertvalues in the[domain]section:… cache_credentials = True ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem ldap_tls_reqcert = hard …Change the permissions on the
/etc/sssd/sssd.conffile:# chmod 600 /etc/sssd/sssd.confRestart and enable the SSSD service and the
oddjobddaemon:# systemctl restart sssd oddjobd # systemctl enable sssd oddjobdOptional: If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL to communicate using these protocols:
# update-crypto-policies --set LEGACYFor more details, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the
update-crypto-policies(8)man page on your system.
Verification
Verify you can retrieve user data from your LDAP server by using the
idcommand and specifying an LDAP user:# id <ldap_user>uid=17388( <ldap_user>) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)
The system administrator can now query users from LDAP using the id command. The command returns a correct user ID and group membership.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}