4.2. Configuring SSSD to use LDAP and require TLS authentication
Complete this procedure to configure your Red Hat Enterprise Linux (RHEL) system as an OpenLDAP client.
Use the following client configuration:
- The RHEL system authenticates users stored in an OpenLDAP user account database.
- The RHEL system uses the System Security Services Daemon (SSSD) service to retrieve user data.
- The RHEL system communicates with the OpenLDAP server over a TLS-encrypted connection.
You can alternatively use this procedure to configure your RHEL system as a client of a Red Hat Directory Server.
Conditions préalables
- The OpenLDAP server is installed and configured with user information.
- You have root permissions on the host you are configuring as the LDAP client.
-
On the host you are configuring as the LDAP client, the
/etc/sssd/sssd.conf
file has been created and configured to specifyldap
as theautofs_provider
and theid_provider
. -
You have a PEM-formatted copy of the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server certificate, stored in a local file named
core-dirsrv.ca.pem
.
Procédure
Install the requisite packages:
# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
Switch the authentication provider to
sssd
:# authselect select sssd with-mkhomedir
Copy the
core-dirsrv.ca.pem
file containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the/etc/openldap/certs
folder.# cp core-dirsrv.ca.pem /etc/openldap/certs
Add the URL and suffix of your LDAP server to the
/etc/openldap/ldap.conf
file:URI ldap://ldap-server.example.com/ BASE dc=example,dc=com
In the
/etc/openldap/ldap.conf
file, add a line pointing the TLS_CACERT parameter to/etc/openldap/certs/core-dirsrv.ca.pem
:# When no CA certificates are specified the Shared System Certificates # are in use. In order to have these available along with the ones specified # by TLS_CACERTDIR one has to include them explicitly: TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pem
In the
/etc/sssd/sssd.conf
file, add your environment values to theldap_uri
andldap_search_base
parameters and set theldap_id_use_start_tls
toTrue
:[domain/default] id_provider = ldap autofs_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap-server.example.com/ ldap_search_base = dc=example,dc=com ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/openldap/certs ldap_tls_reqcert = allow [sssd] services = nss, pam, autofs domains = default [nss] homedir_substring = /home …
In
/etc/sssd/sssd.conf
, specify the TLS authentication requirement by modifying theldap_tls_cacert
andldap_tls_reqcert
values in the[domain]
section:… cache_credentials = True ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem ldap_tls_reqcert = hard …
Change the permissions on the
/etc/sssd/sssd.conf
file:# chmod 600 /etc/sssd/sssd.conf
Restart and enable the SSSD service and the
oddjobd
daemon:# systemctl restart sssd oddjobd # systemctl enable sssd oddjobd
(Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL to communicate using these protocols:
# update-crypto-policies --set LEGACY
For more details, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the
update-crypto-policies(8)
man page.
Verification steps
Verify you can retrieve user data from your LDAP server by using the
id
command and specifying an LDAP user:# id ldap_user uid=17388(ldap_user) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)
The system administrator can now query users from LDAP using the id
command. The command returns a correct user ID and group membership.