Chapter 3. Configuring SSSD to use LDAP and require TLS authentication

3.1. An OpenLDAP client using SSSD to retrieve data from LDAP in an encrypted way

The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RHEL 8 host. A system administrator can configure the SSSD on the host to use a standalone LDAP server database as the user account database. Examples of an LDAP server include the OpenLDAP server and the Red Hat 389 Directory Server. In this chapter, the scenario also includes the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.

The authentication method of the LDAP objects can be either a Kerberos password or an LDAP password. Note that the questions of authentication and authorization of the LDAP objects are not addressed in this chapter.

Important

Configuring SSSD with LDAP is a complex procedure requiring a high level of expertise in SSSD and LDAP. Consider using an integrated and automated solution such as Active Directory or Red Hat Identity Management (IdM) instead. For details about IdM, see Planning Identity Management.

3.2. Configuring SSSD to use LDAP and require TLS authentication

Complete this procedure to configure your Red Hat Enterprise Linux (RHEL) system as an OpenLDAP client and to specify the following client configuration:

  • The RHEL system uses an OpenLDAP server as the user account database.
  • The RHEL system uses the System Security Services Daemon (SSSD) as the service responsible for retrieving the user data.
  • The RHEL system uses a TLS certificate to encrypt the connection with the OpenLDAP server.
Note

You can alternatively use the steps in this procedure to configure your RHEL system as a client of the Red Hat 389 Directory Server.

Prerequisites

  • The OpenLDAP server is installed.
  • On the host you want to become a client of the OpenLDAP server, you have root credentials.
  • On the host you want to become a client of the OpenLDAP server, the /etc/sssd/sssd.conf file has been created and configured to specify ldap as the autofs_provider and the id_provider.
  • You have the TLS certificate of the OpenLDAP server stored in a PEM format.

Procedure

  1. Install the requisite packages:

    # dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
  2. Switch the authentication provider to sssd:

    # authselect select sssd with-mkhomedir
  3. Copy the core-dirsrv.ca.pem file containing the LDAP server certificate into the /etc/openldap/cacerts folder.
  4. Add the URL and suffix of your LDAP server to the /etc/openldap/ldap.conf file:

    URI ldap://ldap-server.example.com/
    BASE dc=example,dc=com
  5. In /etc/openldap/ldap.conf, specify the location of the OpenLDAP server certificate by adding a line pointing the TLS_CACERT parameter to /etc/openldap/cacerts/core-dirsrv.ca.pem:

    # When no CA certificates are specified the Shared System Certificates
    # are in use. In order to have these available along with the ones specified
    # by TLS_CACERTDIR one has to include them explicitly:
    TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pem
  6. In the /etc/sssd/sssd.conf file, add your environment values to the ldap_uri and ldap_search_base parameters:

    [domain/default]
    id_provider = ldap
    autofs_provider = ldap
    auth_provider = ldap
    chpass_provider = ldap
    ldap_uri = ldap://ldap-server.example.com/
    ldap_search_base = dc=example,dc=com
    ldap_id_use_start_tls = True
    cache_credentials = True
    ldap_tls_cacertdir = /etc/openldap/certs
    ldap_tls_reqcert = allow
    
    [sssd]
    services = nss, pam, autofs
    domains = default
    
    [nss]
    homedir_substring = /home
    …
  7. In /etc/sssd/sssd.conf, specify the TLS authentication requirement by modifying the ldap_tls_cacert and ldap_tls_reqcert values in the [domain/default] section:

    …
    cache_credentials = True
    ldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pem
    ldap_tls_reqcert = hard
  8. Change the permissions on the /etc/sssd/sssd.conf file:

    # chmod 600 /etc/sssd/sssd.conf
  9. Restart and enable SSSD:

    # systemctl restart sssd oddjobd
    # systemctl enable sssd oddjobd
  10. (Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL 8 to communicate using these protocols:

    # update-crypto-policies --set LEGACY

    For more details, see the Deprecated Functionality section in the RHEL 8.0 Release Notes.

Verification steps

  • Verify login by using the id command and specifying an LDAP user:

    # id ldap_user
    uid=17388(ldap_user) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)

The system administrator can now query users from LDAP using the id command. The command returns a correct user ID and group membership.