7.3. Configuring Identity and Authentication Providers for SSSD

7.3.1. Introduction to Identity and Authentication Providers for SSSD

SSSD Domains. Identity and Authentication Providers

Identity and authentication providers are configured as domains in the SSSD configuration file. A single domain can be used as:
  • An identity provider (for user information)
  • An authentication provider (for authentication requests)
  • An access control provider (for authorization requests)
  • A combination of these providers (if all the corresponding operations are performed within a single server)
You can configure multiple domains for SSSD. At least one domain must be configured, otherwise SSSD will not start.
The access_provider option in the /etc/sssd/sssd.conf file sets the access control provider used for the domain. By default, the option is set to permit, which always allows all access. See the sssd.conf(5) man page for details.

Proxy Providers

A proxy provider works as an intermediary relay between SSSD and resources that SSSD would otherwise not be able to use. When using a proxy provider, SSSD connects to the proxy service, and the proxy loads the specified libraries.
Using a proxy provider, you can configure SSSD to use:
  • Alternative authentication methods, such as a fingerprint scanner
  • Legacy systems, such as NIS
  • A local system account defined in /etc/passwd and remote authentication

Available Combinations of Identity and Authentication Providers

Table 7.1. Available Combinations of Identity and Authentication Providers

Identity Provider Authentication Provider
Identity Management [a] Identity Management [a]
Active Directory [a] Active Directory [a]
LDAP LDAP
LDAP Kerberos
proxy proxy
proxy LDAP
proxy Kerberos
[a] An extension of the LDAP provider type.
Note that this guide does not describe all provider types. See the following additional resources for more information:

7.3.2. Configuring an LDAP Domain for SSSD

Prerequisites

  • Install SSSD. 
    # yum install sssd

Configure SSSD to Discover the LDAP Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the LDAP domain: 
    [domain/LDAP_domain_name]
  3. Specify if you want to use the LDAP server as an identity provider, an authentication provider, or both.
    1. To use the LDAP server as an identity provider, set the id_provider option to ldap.
    2. To use the LDAP server as an authentication provider, set the auth_provider option to ldap.
    For example, to use the LDAP server as both: 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap
  4. Specify the LDAP server. Choose one of the following:
    1. To explicitly define the server, specify the server's URI with the ldap_uri option: 
      [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
      The ldap_uri option also accepts the IP address of the server. However, using an IP address instead of the server name might cause TLS/SSL connections to fail. See Configuring an SSSD Provider to Use an IP Address in the Certificate Subject Name in Red Hat Knowledgebase.
    2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
    Optionally, specify backup servers in the ldap_backup_uri option as well.
  5. Specify the LDAP server's search base in the ldap_search_base option: 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
  6. Specify a way to establish a secure connection to the LDAP server. The recommended method is to use a TLS connection. To do this, enable the ldap_id_use_start_tls option, and use these CA certificate-related options:
    • ldap_tls_reqcert specifies if the client requests a server certificate and what checks are performed on the certificate
    • ldap_tls_cacert specifies the file containing the certificate 
    [domain/LDAP_domain_name]
id_provider = ldap
auth_provider = ldap

ldap_uri = ldaps://ldap.example.com
ldap_search_base = dc=example,dc=com

ldap_id_use_start_tls = true
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt

    Note

    SSSD always uses an encrypted channel for authentication, which ensures that passwords are never sent over the network unencrypted. With ldap_id_use_start_tls = true, identity lookups (such as commands based on the id or getent utilities) are also encrypted.
  7. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = LDAP_domain_name, domain2

Additional Resources

The above procedure shows the basic options for an LDAP provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-ldap(5) man page, which describes options specific to LDAP

7.3.3. Configuring a Proxy Provider for SSSD

Prerequisites

  • Install SSSD. 
    # yum install sssd

Configure SSSD to Discover the Proxy Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the proxy provider: 
    [domain/proxy_name]
  3. To specify an authentication provider:
    1. Set the auth_provider option to proxy.
    2. Use the proxy_pam_target option to specify a PAM service as the authentication proxy.
    For example: 
    [domain/proxy_name]
auth_provider = proxy
proxy_pam_target = sssdpamproxy

    Important

    Ensure that the proxy PAM stack does not recursively include pam_sss.so.
  4. To specify an identity provider:
    1. Set the id_provider option to proxy.
    2. Use the proxy_lib_name option to specify an NSS library as the identity proxy.
    For example: 
    [domain/proxy_name]
id_provider = proxy
proxy_lib_name = nis
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = proxy_name, domain2

Additional Resources

The above procedure shows the basic options for a proxy provider. For more details, see the sssd.conf(5) man page, which describes global options available for all types of domains and other proxy-related options.

7.3.4. Configuring a Kerberos Authentication Provider

Prerequisites

  • Install SSSD. 
    # yum install sssd

Configure SSSD to Discover the Kerberos Domain

  1. Open the /etc/sssd/sssd.conf file.
  2. Create a [domain] section for the SSSD domain. 
    [domain/Kerberos_domain_name]
  3. Specify an identity provider. For example, for details on configuring an LDAP identity provider, see Section 7.3.2, “Configuring an LDAP Domain for SSSD”.
    If the Kerberos principal names are not available in the specified identity provider, SSSD constructs the principals using the format username@REALM.
  4. Specify the Kerberos authentication provider details:
    1. Set the auth_provider option to krb5. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5
    2. Specify the Kerberos server:
      1. To explicitly define the server, use the krb5_server option. The options accepts the host name or IP address of the server: 
        [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kdc.example.com
      2. To configure SSSD to discover the server dynamically using DNS service discovery, see Section 7.4.3, “Configuring DNS Service Discovery”.
      Optionally, specify backup servers in the krb5_backup_server option as well.
    3. If the Change Password service is not running on the KDC specified in krb5_server or krb5_backup_server, use the krb5_passwd option to specify the server where the service is running. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kdc.example.com
krb5_backup_server = kerberos.example.com
krb5_passwd = kerberos.admin.example.com
      If krb5_passwd is not used, SSSD uses the KDC specified in krb5_server or krb5_backup_server.
    4. Use the krb5_realm option to specify the name of the Kerberos realm. 
      [domain/Kerberos_domain_name]
id_provider = ldap
auth_provider = krb5

krb5_server = kerberos.example.com
krb5_backup_server = kerberos2.example.com
krb5_passwd = kerberos.admin.example.com
krb5_realm = EXAMPLE.COM
  5. Add the new domain to the domains option in the [sssd] section. The option lists the domains that SSSD queries. For example: 
    domains = Kerberos_domain_name, domain2

Additional Resources

The above procedure shows the basic options for a Kerberos provider. For more details, see:
  • the sssd.conf(5) man page, which describes global options available for all types of domains
  • the sssd-krb5(5) man page, which describes options specific to Kerberos