Ubuntu 14.04 SSSD and OpenLDAP Authentication
I know it's been a year since Ubuntu 14.04 was released, but I'm finally getting around to doing my first new network installations with it. There were changes from 12.04 in many of the features that we use on a daily basis, and I've just now had the time to put it all together.
The first major change with 14.04 was great news. Previously in order to have one of my Linux workstations authenticate users against our OpenLDAP directory required that I make changes to multiple PAM configuration files, add LDAP config files and more. It was quite a mess. Under 14.04, you now have the System Security Services Daemon (SSSD) which does it all from a single configuration file.
Several of the tutorials I found online mention using authconfig to configure everything for SSSD, but authconfig is not packaged with Ubuntu Trusty. Here's how to properly go about configuring Ubuntu 14.04 Trusty Tahr with SSSD and OpenLDAP as the authentication backend.
First, install the required packages:
apt-get install sssd libpam-sss libnss-sss libnss-ldap
Configure SSS with your appropriate settings.
SSSD will work with many different backends including OpenLDAP, Microsoft Active Directory, Kerberos and probably more. Here I'm just configuring for OpenLDAP on the backend for both user and group management. Start by editing /etc/sssd/sssd.conf with your favorite editor. Personally I like to use "sudo nano /etc/sssd/sssd.conf". I've placed the parts you must change in bold:
[sssd] config_file_version = 2 services = nss,pam domains = MYDOMAIN [nss] # Ensure that certain users are not authenticated from network accounts filter_users = root,lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data filter_groups = root [pam] [domain/MYDOMAIN] autofs_provider = ldap ldap_schema = rfc2307 # This is for OpenLDAP. rfc2307bis is for A/D. ldap_search_base = dc=example,dc=com id_provider = ldap auth_provider = ldap chpass_provider = ldap ldap_uri = ldap://ldap.example.com:389, ldap://ldap2.example.com:389 ldap_id_use_start_tls = True cache_credentials = True ldap_tls_cacertdir = /etc/ssl/certs ldap_tls_cacert = /etc/ssl/certs/mytlsca.pem # Replace with the correct file name enumerate = true # Enables listing users and groups with getent
Make certain that the /etc/sssd/sssd.conf file is set to root read/write only:
sudo chmod 0600 /etc/sssd/sssd.conf
Now restart SSSD like so:
sudo service sssd restart
You should be able to run a test by getting a list of all users. LDAP users should show as well:
sudo getent passwd
Now, you need to make sure your /etc/ldap.conf file has the appropriate settings, many of which mirror the SSSD settings, so "sudo nano /etc/ldap.conf" and put something similar to the following in it:
base dc=example,dc=com uri ldap://ldap.example.com ldap://ldap2.example.com ldap_version 3 port 389 timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_password md5 # ssl start_tls tls_checkpeer no tls_reqcert never tls_cacertfile /etc/ssl/certs/mycert.pem tls_cacert /etc/ssl/certs/mycert.pem tls_certdir /etc/ssl/certs nss_initgroups_ignoreusers lightdm,nslcd,dnsmasq,dbus,avahi,avahi-autoipd,backup,beagleindex,bin,daemon,games,gdm,gnats,haldaemon,hplip,irc,ivman,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,pulse,puppet,root,saned,sshd,sync,sys,syslog,uucp,vde2-net,www-data
The last change (to pam, unfortunately)
One last change has to be done to a PAM file so that user's home directories are automatically created when they login for the first time. Edit your common-session file with "sudo nano /etc/pam.d/common-session" to look like so:
session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_sss.so session optional pam_mkhomedir.so skel = /etc/skel/ mask=0077 session optional pam_systemd.so
The new line goes after the pam_sss.so line and before the pam_systemd.so line. That's it! So much easier than previous versions of Ubuntu, and so poorly documented that it took me three days to figure it all out.
The best thing to do now for an enterprise environment is to roll this into a PXE / Kickstart installation image so that all new machines created on the network are preconfigured for LDAP authentication. I'll cover more on that in a later post on the changes to Kickstart for Trusty.