Ubuntu 14.04 SSSD and OpenLDAP Authentication

Ubuntu 14.04 SSSD and OpenLDAP Authentication

I know it's been a year since Ubuntu 14.04 was released, but I'm finally getting around to doing my first new network installations with it. There were changes from 12.04 in many of the features that we use on a daily basis, and I've just now had the time to put it all together.

The first major change with 14.04 was great news. Previously in order to have one of my Linux workstations authenticate users against our OpenLDAP directory required that I make changes to multiple PAM configuration files, add LDAP config files and more. It was quite a mess. Under 14.04, you now have the System Security Services Daemon (SSSD) which does it all from a single configuration file.

Several of the tutorials I found online mention using authconfig to configure everything for SSSD, but authconfig is not packaged with Ubuntu Trusty. Here's how to properly go about configuring Ubuntu 14.04 Trusty Tahr with SSSD and OpenLDAP as the authentication backend.

First, install the required packages:

apt-get install sssd libpam-sss libnss-sss libnss-ldap

Configure SSS with your appropriate settings.

SSSD will work with many different backends including OpenLDAP, Microsoft Active Directory, Kerberos and probably more. Here I'm just configuring for OpenLDAP on the backend for both user and group management. Start by editing /etc/sssd/sssd.conf with your favorite editor. Personally I like to use "sudo nano /etc/sssd/sssd.conf". I've placed the parts you must change in bold:

[sssd]
config_file_version = 2
services = nss,pam
domains = MYDOMAIN

[nss]
# Ensure that certain users are not authenticated from network accounts
filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data
filter_groups = root

[pam]

[domain/MYDOMAIN]
autofs_provider = ldap
ldap_schema = rfc2307 # This is for OpenLDAP.  rfc2307bis is for A/D.
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://ldap.example.com:389, ldap://ldap2.example.com:389
ldap_id_use_start_tls = True
cache_credentials = True
ldap_tls_cacertdir = /etc/ssl/certs
ldap_tls_cacert = /etc/ssl/certs/mytlsca.pem # Replace with the correct file name
enumerate = true # Enables listing users and groups with getent

Make certain that the /etc/sssd/sssd.conf file is set to root read/write only:

sudo chmod 0600 /etc/sssd/sssd.conf

Now restart SSSD like so:

sudo service sssd restart

You should be able to run a test by getting a list of all users. LDAP users should show as well:

sudo getent passwd

Configure LDAP

Now, you need to make sure your /etc/ldap.conf file has the appropriate settings, many of which mirror the SSSD settings, so "sudo nano /etc/ldap.conf" and put something similar to the following in it:

base dc=example,dc=com
uri ldap://ldap.example.com ldap://ldap2.example.com
ldap_version 3
port 389
timelimit 120
bind_timelimit 120
idle_timelimit 3600
pam_password md5
# ssl start_tls
tls_checkpeer no
tls_reqcert never
tls_cacertfile /etc/ssl/certs/mycert.pem
tls_cacert /etc/ssl/certs/mycert.pem
tls_certdir /etc/ssl/certs
nss_initgroups_ignoreusers lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,root,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data

The last change (to pam, unfortunately)

One last change has to be done to a PAM file so that user's home directories are automatically created when they login for the first time. Edit your common-session file with "sudo nano /etc/pam.d/common-session" to look like so:

session [default=1]                    pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session optional                        pam_umask.so
session required                        pam_unix.so
session optional                        pam_sss.so
session optional                          pam_mkhomedir.so skel = /etc/skel/ mask=0077
session optional                        pam_systemd.so

The new line goes after the pam_sss.so line and before the pam_systemd.so line. That's it! So much easier than previous versions of Ubuntu, and so poorly documented that it took me three days to figure it all out.

The best thing to do now for an enterprise environment is to roll this into a PXE / Kickstart installation image so that all new machines created on the network are preconfigured for LDAP authentication. I'll cover more on that in a later post on the changes to Kickstart for Trusty.

Posted by Tony on Mar 07, 2015 | Servers, Desktop Linux