4.2. Configuring SSSD to use LDAP and require TLS authentication
Complete this procedure to configure your Red Hat Enterprise Linux (RHEL) system as an OpenLDAP client.
Use the following client configuration:
- The RHEL system authenticates users stored in an OpenLDAP user account database.
- The RHEL system uses the System Security Services Daemon (SSSD) service to retrieve user data.
- The RHEL system communicates with the OpenLDAP server over a TLS-encrypted connection.
You can alternatively use this procedure to configure your RHEL system as a client of a Red Hat Directory Server.
Conditions préalables
- The OpenLDAP server is installed and configured with user information.
- You have root permissions on the host you are configuring as the LDAP client.
-
On the host you are configuring as the LDAP client, the
/etc/sssd/sssd.conffile has been created and configured to specifyldapas theautofs_providerand theid_provider. -
You have a PEM-formatted copy of the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server certificate, stored in a local file named
core-dirsrv.ca.pem.
Procédure
Install the requisite packages:
# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
Switch the authentication provider to
sssd:# authselect select sssd with-mkhomedir
Copy the
core-dirsrv.ca.pemfile containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the/etc/openldap/certsfolder.# cp core-dirsrv.ca.pem /etc/openldap/certs
Add the URL and suffix of your LDAP server to the
/etc/openldap/ldap.conffile:URI ldap://ldap-server.example.com/ BASE dc=example,dc=com
In the
/etc/openldap/ldap.conffile, add a line pointing the TLS_CACERT parameter to/etc/openldap/certs/core-dirsrv.ca.pem:# When no CA certificates are specified the Shared System Certificates # are in use. In order to have these available along with the ones specified # by TLS_CACERTDIR one has to include them explicitly: TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pemIn the
/etc/sssd/sssd.conffile, add your environment values to theldap_uriandldap_search_baseparameters and set theldap_id_use_start_tlstoTrue:[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap-server.example.com/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home …
In
/etc/sssd/sssd.conf, specify the TLS authentication requirement by modifying theldap_tls_cacertandldap_tls_reqcertvalues in the[domain]section:… cache_credentials = True ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem ldap_tls_reqcert = hard …
Change the permissions on the
/etc/sssd/sssd.conffile:# chmod 600 /etc/sssd/sssd.conf
Restart and enable the SSSD service and the
oddjobddaemon:# systemctl restart sssd oddjobd # systemctl enable sssd oddjobd
(Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL to communicate using these protocols:
# update-crypto-policies --set LEGACY
For more details, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the
update-crypto-policies(8)man page.
Verification steps
Verify you can retrieve user data from your LDAP server by using the
idcommand and specifying an LDAP user:# id ldap_user uid=17388(ldap_user) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)
The system administrator can now query users from LDAP using the id command. The command returns a correct user ID and group membership.
