Chapter 10. Migrating authentication from nslcd to SSSD

10.1. Migrating a RHEL client from nslcd to SSSD

As the nss-pam-ldapd package has been removed from RHEL, Red Hat recommends migrating to SSSD and its ldap provider, which replaces the functionality of the nslcd service. The following procedure describes how to configure SSSD to authenticate LDAP users on a client that was previously configured to use an nss-pam-ldap authentication configuration.

Prerequisites

  • Your RHEL client is on RHEL 8 or RHEL 9.
  • You have previously configured the RHEL client to authenticate to an LDAP directory server with the nslcd service.
  • The LDAP directory service uses a schema defined in RFC-2307.

Procedure

  1. Back up the current authentication configuration: 

    # authselect apply-changes -b --backup=ldap-configuration-backup

  2. Install SSSD packages: 

    # yum install sssd-ldap sssd-ad sssd-client \
              sssd-common sssd-common-pac \
              sssd-krb5 sssd-krb5-common

  3. Stop and disable the nslcd and nscd services: 

    # systemctl stop nslcd nscd
# systemctl disable nslcd nscd

  4. Configure authentication with SSSD: 

    # authselect select sssd with-mkhomedir --force

  5. Set the necessary ownership and permissions for the SSSD configuration file: 

    # chown root:root /etc/sssd/sssd.conf
# chmod 600 /etc/sssd/sssd.conf
  6. Open the /etc/sssd/sssd.conf file for editing.

  7. Enter the following configuration, replacing values such as example.com and dc=example,dc=com with values that are appropriate for your environment: 

    [sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE.COM
debug_level = 6

[domain/EXAMPLE.COM]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://server.example.com/
ldap_search_base = dc=example,dc=com
ldap_default_bind_dn = CN=binddn,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = <bind_account_password>
cache_credentials = True
    Note

    You might need to specify the LDAP schema in your SSSD configuration:

    If you are using the RFC-2307bis schema in your directory server, add the following line to the [domain/EXAMPLE.COM] section: 

    ldap_schema = rfc2307bis

    If you are using a Microsoft Active Directory server, add the following line to the [domain/EXAMPLE.COM] section to enable LDAP-based authentication: 

    ldap_schema = ad

    If you need Kerberos authentication, Red Hat recommends joining the RHEL client to your AD domain with the realm command, which automatically configures the SSSD service.

  8. Enable and start the SSSD service: 

    # systemctl enable sssd
# systemctl start sssd

Verification steps

  1. Ensure you can retrieve information about your LDAP users: 

    # id ldapuser
 uid=100424(ldapuser) gid=100424(ldapuser) groups=100424(ldapuser)

# getent passwd ldapuser
ldapuser:*: 100424: 100424:User, LDAP:/home/ldapuser:/bin/bash

  2. Ensure you can log in as an LDAP user: 

    # ssh -l ldapuser localhost
ldapuser@localhost's password:
Last login: Tue Dec 07 19:34:35 2021 from localhost
-sh-4.2$
Note

If you need to restore your original LDAP configuration with nslcd and nscd, use the following commands: 

# authselect backup-restore=ldap-configuration-backup
# systemctl stop sssd && systemctl disable sssd
# systemctl start nslcd nscd
# systemctl enable nslcd nscd

Additional resources

10.2. sssd.conf option equivalents of nslcd.conf options

To help with migrating from nslcd to SSSD, the following table shows common options from the nslcd.conf configuration file and their equivalent options in the sssd.conf configuration file.

Table 10.1. sssd.conf option equivalents of nslcd.conf options

nslcd.conf optionsssd.conf optionDescription

uid

No equivalent

The user id with which the daemon should be run. By default, SSSD runs as the sssd user.

gid

No equivalent

The group id with which the daemon should be run. By default, SSSD runs as the sssd private group.

uri

ldap_uri

The URI of the LDAP server in the following format: ldap[s]://<host>[:port]

base

ldap_search_base

The distinguished name of the search base.

binddn

ldap_default_bind_dn

The default bind DN to use for performing LDAP operations

bindpw

ldap_default_authtok

The authentication token of the default bind DN. Only clear text passwords are currently supported.

ssl start_tls

ldap_id_use_start_tls = true

The authentication token of the default bind DN. Only clear text passwords are currently supported.

tls_reqcert

ldap_tls_reqcert

Specifies what checks to perform on a server-supplied certificate.

tls_cacertfile

ldap_tls_cacert

The file that contains certificates for all of the Certificate Authorities

tls_cacertdir

ldap_tls_cacertdir

The path of a directory that contains Certificate Authority certificates in separate individual files.

base passwd

ldap_user_search_base

An optional base DN, search scope and LDAP filter to restrict LDAP searches for users.

base group

ldap_group_search_base

An optional base DN, search scope and LDAP filter to restrict LDAP searches for groups.

Additional resources

  • nslcd.conf(5) man page
  • sssd-ldap(5) man page