7.3. Configuring Identity and Authentication Providers for SSSD

7.3.1. Introduction to Identity and Authentication Providers for SSSD

SSSD Domains. Identity and Authentication Providers

Identity and authentication providers are configured as domains in the SSSD configuration file. A single domain can be used as:
  • An identity provider (for user information)
  • An authentication provider (for authentication requests)
  • An access control provider (for authorization requests)
  • A combination of these providers (if all the corresponding operations are performed within a single server)
You can configure multiple domains for SSSD. At least one domain must be configured, otherwise SSSD will not start.
The access_provider option in the /etc/sssd/sssd.conf file sets the access control provider used for the domain. By default, the option is set to permit, which always allows all access. See the sssd.conf(5) man page for details.

Proxy Providers

A proxy provider works as an intermediary relay between SSSD and resources that SSSD would otherwise not be able to use. When using a proxy provider, SSSD connects to the proxy service, and the proxy loads the specified libraries.
Using a proxy provider, you can configure SSSD to use:
  • Alternative authentication methods, such as a fingerprint scanner
  • Legacy systems, such as NIS
  • A local system account defined in /etc/passwd and remote authentication

Available Combinations of Identity and Authentication Providers

Table 7.1. Available Combinations of Identity and Authentication Providers

Identity Provider Authentication Provider
Identity Management [a] Identity Management [a]
Active Directory [a] Active Directory [a]
LDAP LDAP
LDAP Kerberos
proxy proxy
proxy LDAP
proxy Kerberos
[a] An extension of the LDAP provider type.
Note that this guide does not describe all provider types. See the following additional resources for more information:

7.3.2. Configuring an LDAP Domain for SSSD

Prerequisites

  • Install SSSD.
    # yum install sssd

Configure SSSD to Discover the LDAP Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the LDAP domain:
    [domain/LDAP_domain_name]
  3. Specify if you want to use the LDAP server as an identity provider, an authentication provider, or both.
    1. To use the LDAP server as an identity provider, set the id_provider option to ldap.
    2. To use the LDAP server as an authentication provider, set the auth_provider option to ldap.
    For example, to use the LDAP server as both:
    [domain/LDAP_domain_name]
    id_provider = ldap
    auth_provider = ldap
  4. Specify the LDAP server. Choose one of the following:
    1. To explicitly define the server, specify the server's URI with the ldap_uri option:
      [domain/LDAP_domain_name]
      id_provider = ldap
      auth_provider = ldap
      
      ldap_uri = ldap://ldap.example.com
      The ldap_uri option also accepts the IP address of the server. However, using an IP address instead of the server name might cause TLS/SSL connections to fail. See Configuring an SSSD Provider to Use an IP Address in the Certificate Subject Name in Red Hat Knowledgebase.
    2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
    Optionally, specify backup servers in the ldap_backup_uri option as well.
  5. Specify the LDAP server's search base in the ldap_search_base option:
    [domain/LDAP_domain_name]
    id_provider = ldap
    auth_provider = ldap
    
    ldap_uri = ldap://ldap.example.com
    ldap_search_base = dc=example,dc=com
  6. Specify a way to establish a secure connection to the LDAP server. The recommended method is to use a TLS connection. To do this, enable the ldap_id_use_start_tls option, and use these CA certificate-related options:
    • ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate
    • ldap_tls_cacert specifies the file containing the certificate
    [domain/LDAP_domain_name]
    id_provider = ldap
    auth_provider = ldap
    
    ldap_uri = ldaps://ldap.example.com
    ldap_search_base = dc=example,dc=com
    
    ldap_id_use_start_tls = true
    ldap_tls_reqcert = demand
    ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

    Note

    SSSD always uses an encrypted channel for authentication, which ensures that passwords are never sent over the network unencrypted. With ldap_id_use_start_tls = true, identity lookups (such as commands based on the id or getent utilities) are also encrypted.
  7. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example:
    domains = LDAP_domain_name, domain2

Additional Resources

The above procedure shows the basic options for an LDAP provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-ldap(5) man page, which describes options specific to LDAP

7.3.3. Configuring the Files Provider for SSSD

The files provider mirrors the content of the /etc/passwd and /etc/groups files to make users and groups from these files available through SSSD. This enables you to set the sss database as the first source for users and groups in the /etc/nsswitch.conf file:
passwd:     sss files
group:      sss files
With this setting, and if the files provider is configured in /etc/sssd/sssd.conf, Red Hat Enterprise Linux sends all queries for users and groups first to SSSD. If SSSD is not running or SSSD cannot find the requested entry, the system falls back to look up users and groups in the local files. If you store most users and groups in a central database, such as an LDAP directory, this setting increases speed of users and groups lookups.

Prerequisites

  • Install SSSD.
    # yum install sssd

Configure SSSD to Discover the Files Domain

  1. Add the following section to the /etc/sssd/sssd.conf file:
    [domain/files]
    id_provider = files
  2. Optionally, set the sss database as the first source for user and group lookups in the /etc/sssd/sssd.conf file:
    passwd:     sss files
    group:      sss files
  3. Configure the system in the way that the sssd service starts when the system boots:
    # systemctl enable sssd
  4. Restart the sssd service:
    # systemctl restart sssd

Additional Resources

The above procedure shows the basic options for the files provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-files(5) man page, which describes options specific to the files provider

7.3.4. Configuring a Proxy Provider for SSSD

Prerequisites

  • Install SSSD.
    # yum install sssd

Configure SSSD to Discover the Proxy Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the proxy provider:
    [domain/proxy_name]
  3. To specify an authentication provider:
    1. Set the auth_provider option to proxy.
    2. Use the proxy_pam_target option to specify a PAM service as the authentication proxy.
    For example:
    [domain/proxy_name]
    auth_provider = proxy
    proxy_pam_target = sssdpamproxy

    Important

    Ensure that the proxy PAM stack does not recursively include pam_sss.so.
  4. To specify an identity provider:
    1. Set the id_provider option to proxy.
    2. Use the proxy_lib_name option to specify an NSS library as the identity proxy.
    For example:
    [domain/proxy_name]
    id_provider = proxy
    proxy_lib_name = nis
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example:
    domains = proxy_name, domain2

Additional Resources

The above procedure shows the basic options for a proxy provider. For more details, see the sssd.conf(5) man page, which describes global options available for all types of domains and other proxy-related options.

7.3.5. Configuring a Kerberos Authentication Provider

Prerequisites

  • Install SSSD.
    # yum install sssd

Configure SSSD to Discover the Kerberos Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the SSSD domain.
    [domain/Kerberos_domain_name]
  3. Specify an identity provider. For example, for details on configuring an LDAP identity provider, see Section 7.3.2, “Configuring an LDAP Domain for SSSD”.
    If the Kerberos principal names are not available in the specified identity provider, SSSD constructs the principals using the format username@REALM.
  4. Specify the Kerberos authentication provider details:
    1. Set the auth_provider option to krb5.
      [domain/Kerberos_domain_name]
      id_provider = ldap
      auth_provider = krb5
    2. Specify the Kerberos server:
      1. To explicitly define the server, use the krb5_server option. The options accepts the host name or IP address of the server:
        [domain/Kerberos_domain_name]
        id_provider = ldap
        auth_provider = krb5
        
        krb5_server = kdc.example.com
      2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
      Optionally, specify backup servers in the krb5_backup_server option as well.
    3. If the Change Password service is not running on the KDC specified in krb5_server or krb5_backup_server, use the krb5_passwd option to specify the server where the service is running.
      [domain/Kerberos_domain_name]
      id_provider = ldap
      auth_provider = krb5
      
      krb5_server = kdc.example.com
      krb5_backup_server = kerberos.example.com
      krb5_passwd = kerberos.admin.example.com
      If krb5_passwd is not used, SSSD uses the KDC specified in krb5_server or krb5_backup_server.
    4. Use the krb5_realm option to specify the name of the Kerberos realm.
      [domain/Kerberos_domain_name]
      id_provider = ldap
      auth_provider = krb5
      
      krb5_server = kerberos.example.com
      krb5_backup_server = kerberos2.example.com
      krb5_passwd = kerberos.admin.example.com
      krb5_realm = EXAMPLE.COM
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example:
    domains = Kerberos_domain_name, domain2

Additional Resources

The above procedure shows the basic options for a Kerberos provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-krb5(5) man page, which describes options specific to Kerberos