Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

7.3. Configuring Identity and Authentication Providers for SSSD

7.3.1. Introduction to Identity and Authentication Providers for SSSD
Copiar o link

SSSD Domains. Identity and Authentication Providers

Identity and authentication providers are configured as domains in the SSSD configuration file. A single domain can be used as:
  • An identity provider (for user information)
  • An authentication provider (for authentication requests)
  • An access control provider (for authorization requests)
  • A combination of these providers (if all the corresponding operations are performed within a single server)
You can configure multiple domains for SSSD. At least one domain must be configured, otherwise SSSD will not start.
The access_provider option in the /etc/sssd/sssd.conf file sets the access control provider used for the domain. By default, the option is set to permit, which always allows all access. See the sssd.conf(5) man page for details.

Proxy Providers

A proxy provider works as an intermediary relay between SSSD and resources that SSSD would otherwise not be able to use. When using a proxy provider, SSSD connects to the proxy service, and the proxy loads the specified libraries.
Using a proxy provider, you can configure SSSD to use:
  • Alternative authentication methods, such as a fingerprint scanner
  • Legacy systems, such as NIS
  • A local system account defined in /etc/passwd and remote authentication

Available Combinations of Identity and Authentication Providers

Expand
Table 7.1. Available Combinations of Identity and Authentication Providers
Identity Provider Authentication Provider
Identity Management [a] Identity Management [a]
Active Directory [a] Active Directory [a]
LDAP LDAP
LDAP Kerberos
proxy proxy
proxy LDAP
proxy Kerberos
[a] An extension of the LDAP provider type.
Note that this guide does not describe all provider types. See the following additional resources for more information:

7.3.2. Configuring an LDAP Domain for SSSD
Copiar o link

Prerequisites

  • Install SSSD. 
    # yum install sssd
    Copy to Clipboard Toggle word wrap

Configure SSSD to Discover the LDAP Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the LDAP domain: 
    [domain/LDAP_domain_name]
    Copy to Clipboard Toggle word wrap
  3. Specify if you want to use the LDAP server as an identity provider, an authentication provider, or both.
    1. To use the LDAP server as an identity provider, set the id_provider option to ldap.
    2. To use the LDAP server as an authentication provider, set the auth_provider option to ldap.
    For example, to use the LDAP server as both: 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap
    Copy to Clipboard Toggle word wrap
  4. Specify the LDAP server. Choose one of the following:
    1. To explicitly define the server, specify the server's URI with the ldap_uri option: 
      [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
      Copy to Clipboard Toggle word wrap
      The ldap_uri option also accepts the IP address of the server. However, using an IP address instead of the server name might cause TLS/SSL connections to fail. See Configuring an SSSD Provider to Use an IP Address in the Certificate Subject Name in Red Hat Knowledgebase.
    2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
    Optionally, specify backup servers in the ldap_backup_uri option as well.
  5. Specify the LDAP server's search base in the ldap_search_base option: 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
    Copy to Clipboard Toggle word wrap
  6. Specify a way to establish a secure connection to the LDAP server. The recommended method is to use a TLS connection. To do this, enable the ldap_id_use_start_tls option, and use these CA certificate-related options:
    • ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate
    • ldap_tls_cacert specifies the file containing the certificate 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com

ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
    Copy to Clipboard Toggle word wrap

    Note

    SSSD always uses an encrypted channel for authentication, which ensures that passwords are never sent over the network unencrypted. With ldap_id_use_start_tls = true, identity lookups (such as commands based on the id or getent utilities) are also encrypted.
  7. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = LDAP_domain_name, domain2
    Copy to Clipboard Toggle word wrap

Additional Resources

The above procedure shows the basic options for an LDAP provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-ldap(5) man page, which describes options specific to LDAP

7.3.3. Configuring the Files Provider for SSSD
Copiar o link

The files provider mirrors the content of the /etc/passwd and /etc/groups files to make users and groups from these files available through SSSD. This enables you to set the sss database as the first source for users and groups in the /etc/nsswitch.conf file: 
passwd:     sss files
group:      sss files
Copy to Clipboard Toggle word wrap
With this setting, and if the files provider is configured in /etc/sssd/sssd.conf, Red Hat Enterprise Linux sends all queries for users and groups first to SSSD. If SSSD is not running or SSSD cannot find the requested entry, the system falls back to look up users and groups in the local files. If you store most users and groups in a central database, such as an LDAP directory, this setting increases speed of users and groups lookups.

Prerequisites

  • Install SSSD. 
    # yum install sssd
    Copy to Clipboard Toggle word wrap

Configure SSSD to Discover the Files Domain

  1. Add the following section to the /etc/sssd/sssd.conf file: 
    [domain/files]
id_provider = files
    Copy to Clipboard Toggle word wrap
  2. Optionally, set the sss database as the first source for user and group lookups in the /etc/sssd/sssd.conf file: 
    passwd:     sss files
group:      sss files
    Copy to Clipboard Toggle word wrap
  3. Configure the system in the way that the sssd service starts when the system boots: 
    # systemctl enable sssd
    Copy to Clipboard Toggle word wrap
  4. Restart the sssd service: 
    # systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Additional Resources

The above procedure shows the basic options for the files provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-files(5) man page, which describes options specific to the files provider

7.3.4. Configuring a Proxy Provider for SSSD
Copiar o link

Prerequisites

  • Install SSSD. 
    # yum install sssd
    Copy to Clipboard Toggle word wrap

Configure SSSD to Discover the Proxy Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the proxy provider: 
    [domain/proxy_name]
    Copy to Clipboard Toggle word wrap
  3. To specify an authentication provider:
    1. Set the auth_provider option to proxy.
    2. Use the proxy_pam_target option to specify a PAM service as the authentication proxy.
    For example: 
    [domain/proxy_name]
auth_provider = proxy
proxy_pam_target = sssdpamproxy
    Copy to Clipboard Toggle word wrap

    Important

    Ensure that the proxy PAM stack does not recursively include pam_sss.so.
  4. To specify an identity provider:
    1. Set the id_provider option to proxy.
    2. Use the proxy_lib_name option to specify an NSS library as the identity proxy.
    For example: 
    [domain/proxy_name]
id_provider = proxy
proxy_lib_name = nis
    Copy to Clipboard Toggle word wrap
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = proxy_name, domain2
    Copy to Clipboard Toggle word wrap

Additional Resources

The above procedure shows the basic options for a proxy provider. For more details, see the sssd.conf(5) man page, which describes global options available for all types of domains and other proxy-related options.

7.3.5. Configuring a Kerberos Authentication Provider
Copiar o link

Prerequisites

  • Install SSSD. 
    # yum install sssd
    Copy to Clipboard Toggle word wrap

Configure SSSD to Discover the Kerberos Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the SSSD domain. 
    [domain/Kerberos_domain_name]
    Copy to Clipboard Toggle word wrap
  3. Specify an identity provider. For example, for details on configuring an LDAP identity provider, see Section 7.3.2, “Configuring an LDAP Domain for SSSD”.
    If the Kerberos principal names are not available in the specified identity provider, SSSD constructs the principals using the format username@REALM.
  4. Specify the Kerberos authentication provider details:
    1. Set the auth_provider option to krb5. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5
      Copy to Clipboard Toggle word wrap
    2. Specify the Kerberos server:
      1. To explicitly define the server, use the krb5_server option. The options accepts the host name or IP address of the server: 
        [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kdc.example.com
        Copy to Clipboard Toggle word wrap
      2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
      Optionally, specify backup servers in the krb5_backup_server option as well.
    3. If the Change Password service is not running on the KDC specified in krb5_server or krb5_backup_server, use the krb5_passwd option to specify the server where the service is running. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kdc.example.com
krb5_backup_server = kerberos.example.com
krb5_passwd = kerberos.admin.example.com
      Copy to Clipboard Toggle word wrap
      If krb5_passwd is not used, SSSD uses the KDC specified in krb5_server or krb5_backup_server.
    4. Use the krb5_realm option to specify the name of the Kerberos realm. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kerberos.example.com
krb5_backup_server = kerberos2.example.com
krb5_passwd = kerberos.admin.example.com
krb5_realm = EXAMPLE.COM
      Copy to Clipboard Toggle word wrap
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = Kerberos_domain_name, domain2
    Copy to Clipboard Toggle word wrap

Additional Resources

The above procedure shows the basic options for a Kerberos provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-krb5(5) man page, which describes options specific to Kerberos
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat