Enrolling in Central Authentication using SSSD
Get the Certificate
- Main article: OpenSSL CA
Talos uses our OpenSSL CA for its SSL services, including its HTTPS server and LDAPS. You'll need this to connect to LDAP with STARTTLS correctly.
In short: As
root, make the directory
cd to it, and run:
wget --no-check-certificate https://talos.cslabs.clarkson.edu/cosi_ca.crt
Add that path (the one under
/etc/ca-certificates.conf—appending it to the bottom will be fine:
After that's done, run
update-ca-certificates (again as
root). Ensure that it says a certificate was added.
At this point, you should be able to
wget -O - https://talos.cslabs.clarkson.edu/ without it complaining about certificates.
apt install sssd
The default configuration installs SSSD as an NSS and PAM provider, which suffices. It also starts, but does not create the configuration file, as documented below.
The following configuration is known to work:
[sssd] config_file_version = 2 domains = cslabs.clarkson.edu services = nss, pam [domain/cslabs.clarkson.edu] id_provider = ldap ldap_uri = ldap://talos.cslabs.clarkson.edu ldap_id_use_start_tls = true ldap_search_base = dc=cslabs,dc=clarkson,dc=edu ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt auth_provider = krb5 chpass_provider = krb5 krb5_realm = CSLABS.CLARKSON.EDU krb5_server = talos.cslabs.clarkson.edu krb5_kpasswd = talos.cslabs.clarkson.edu cache_credentials = true enumerate = true
For your convenience, you should be able to get this from
cd /etc/sssd wget https://talos.cslabs.clarkson.edu/sssd.conf chmod go-r sssd.conf
Note the last
/etc/sssd/sssd.conf to be
-rw------- and owned by
root:root, or it will not load the configuration.
Activate the Configuration
systemctl restart sssd
Test the Configuration
Be sure that you see the LDAP users in there.
Choose a username—yours will work, for example, but I'll use
username illustratively—and do
Since you're still
root (right?), this will probably automatically succeed. From your new user shell, do again:
Enter your password, and be sure you can log in.
If all goes well, you should have a new member of the Central Authentication pool. Congratulations!
It's not a bad idea to add the following lines to
%admins ALL=(ALL:ALL) ALL %maintainers ALL=(ALL:ALL) ALL
Formerly, we also recommended
%services ALL=(ALL:ALL) NOPASSWD: ALL, but only if your service needs automated root logins (backup styles and centralized configuration management come to mind). If you don't need it, it's not worth the security hole.
Of course, adding any of these lines is up to you. Evaluate the security needs of your service as you do so—but consider also its survivability, and who you'd like to inherit its usage eventually.