Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

Chapter 11. Migrating authentication from nslcd to SSSD

11.1. Migrating a RHEL client from nslcd to SSSD
Copia collegamento

As the nss-pam-ldapd package has been removed from RHEL, Red Hat recommends migrating to SSSD and its ldap provider, which replaces the functionality of the nslcd service. The following procedure describes how to configure SSSD to authenticate LDAP users on a client that was previously configured to use an nss-pam-ldap authentication configuration.

Prerequisites

  • Your RHEL client is on RHEL 8 or RHEL 9.
  • You have previously configured the RHEL client to authenticate to an LDAP directory server with the nslcd service.
  • The LDAP directory service uses a schema defined in RFC-2307.

Procedure

  1. Back up the current authentication configuration: 

    # authselect apply-changes -b --backup=ldap-configuration-backup
    Copy to Clipboard Toggle word wrap

  2. Install SSSD packages: 

    # yum install sssd-ldap sssd-ad sssd-client \ sssd-common sssd-common-pac \ sssd-krb5 sssd-krb5-common
    Copy to Clipboard Toggle word wrap

  3. Stop and disable the nslcd and nscd services: 

    # systemctl stop nslcd nscd
# systemctl disable nslcd nscd
    Copy to Clipboard Toggle word wrap

  4. Configure authentication with SSSD: 

    # authselect select sssd with-mkhomedir --force
    Copy to Clipboard Toggle word wrap

  5. Set the necessary ownership and permissions for the SSSD configuration file: 

    # chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
    Copy to Clipboard Toggle word wrap
  6. Open the /etc/sssd/sssd.conf file for editing.

  7. Enter the following configuration, replacing values such as example.com and dc=example,dc=com with values that are appropriate for your environment: 

    [sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE.COM
debug_level = 6

[domain/EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server.example.com/
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = CN=binddn,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = <bind_account_password>
cache_credentials = True
    Copy to Clipboard Toggle word wrap
    Note

    You might need to specify the LDAP schema in your SSSD configuration:

    If you are using the RFC-2307bis schema in your directory server, add the following line to the [domain/EXAMPLE.COM] section: 

    ldap_schema = rfc2307bis
    Copy to Clipboard Toggle word wrap

    If you are using a Microsoft Active Directory server, add the following line to the [domain/EXAMPLE.COM] section to enable LDAP-based authentication: 

    ldap_schema = ad
    Copy to Clipboard Toggle word wrap

    If you need Kerberos authentication, Red Hat recommends joining the RHEL client to your AD domain with the realm command, which automatically configures the SSSD service.

  8. Enable and start the SSSD service: 

    # systemctl enable sssd
# systemctl start sssd
    Copy to Clipboard Toggle word wrap

Verification

  1. Ensure you can retrieve information about your LDAP users: 

    # id ldapuser
 uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser)

# getent passwd ldapuser
ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bash
    Copy to Clipboard Toggle word wrap

  2. Ensure you can log in as an LDAP user: 

    # ssh -l ldapuser localhost
ldapuser@localhost's password:
Last login: Tue Dec 07 19:34:35 2021 from localhost
-sh-4.2$
    Copy to Clipboard Toggle word wrap
Note

If you need to restore your original LDAP configuration with nslcd and nscd, use the following commands: 

# authselect backup-restore=ldap-configuration-backup
# systemctl stop sssd && systemctl disable sssd
# systemctl start nslcd nscd
# systemctl enable nslcd nscd
Copy to Clipboard Toggle word wrap

11.2. sssd.conf option equivalents of nslcd.conf options
Copia collegamento

To help with migrating from nslcd to SSSD, the following table shows common options from the nslcd.conf configuration file and their equivalent options in the sssd.conf configuration file.

Expand
Table 11.1. sssd.conf option equivalents of nslcd.conf options
nslcd.conf optionsssd.conf optionDescription

uid

No equivalent

The user id with which the daemon should be run. By default, SSSD runs as the sssd user.

gid

No equivalent

The group id with which the daemon should be run. By default, SSSD runs as the sssd private group.

uri

ldap_uri

The URI of the LDAP server in the following format: ldap[s]://<host>[:port]

base

ldap_search_base

The distinguished name of the search base.

binddn

ldap_default_bind_dn

The default bind DN to use for performing LDAP operations

bindpw

ldap_default_authtok

The authentication token of the default bind DN. Only clear text passwords are currently supported.

ssl start_tls

ldap_id_use_start_tls = true

The authentication token of the default bind DN. Only clear text passwords are currently supported.

tls_reqcert

ldap_tls_reqcert

Specifies what checks to perform on a server-supplied certificate.

tls_cacertfile

ldap_tls_cacert

The file that contains certificates for all of the Certificate Authorities

tls_cacertdir

ldap_tls_cacertdir

The path of a directory that contains Certificate Authority certificates in separate individual files.

base passwd

ldap_user_search_base

An optional base DN, search scope and LDAP filter to restrict LDAP searches for users.

base group

ldap_group_search_base

An optional base DN, search scope and LDAP filter to restrict LDAP searches for groups.

Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat