sssdAuth

sssd Authentication fast & easy

Some commands:

yum install sssd
authconfig --savebackup initial-bak
authconfig --enablesssd --enablesssdauth --enablelocauthorize --enablemkhomedir --update

Example sssd.conf:

[domain/default]
ldap_schema = rfc2307bis
debug_level = 9
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
cache_credentials = False
krb5_realm = #
id_provider = ldap
auth_provider = ldap
access_provider = ldap
chpass_provider = ldap

ldap_uri = ldap://192.168.55.55/
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_default_bind_dn = uid=reader,ou=Special Users,dc=reality,dc=cz
ldap_default_authtok_type = password
ldap_default_authtok = PaSwOrD
ldap_search_base = dc=reality,dc=cz
ldap_group_member = uniquemember

ldap_user_search_base = ou=People,dc=reality,dc=cz
ldap_group_search_base = ou=Groups,dc=reality,dc=cz
ldap_access_order = filter
ldap_access_filter = (gidNumber=1000)

enumerate = True
krb5_server = kerberos.example.com
[sssd]
services = nss, pam, autofs
config_file_version = 2

domains = default
[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

NOTE:

ldap_access_order and ldap_access_filter are mandatory (see man sssd-ldap). If you want to authenticate against an LDAP server TLS/SSL is required.

enable "su -" for sysadmins

add this line to /etc/pam.d/su as a second auth line

auth sufficient pam_wheel.so group=sysadmins trust use_uid