Enrolling in Central Authentication using SSSD

From CSLabsWiki
Revision as of 23:58, 19 September 2019 by Northug (talk | contribs)

This article should help you get SSSD for our Central Authentication running on a Debian-based machine. The configuration here supplants the deprecated How to add Kerberos to a Debian Machine.

Get the Certificate

Main article: OpenSSL CA

Talos uses our OpenSSL CA for its SSL services, including its HTTPS server and LDAPS. You'll need this to connect to LDAP with STARTTLS correctly.

In short: As root, make the directory /usr/share/ca-certificates/cosi/, cd to it, and run:

wget --no-check-certificate https://talos.cslabs.clarkson.edu/cosi_ca.crt

Add that path (the one under /usr/share/ca-certificates/) to /etc/ca-certificates.conf—appending it to the bottom will be fine:


After that's done, run update-ca-certificates (again as root). Ensure that it says a certificate was added.

At this point, you should be able to wget -O - https://talos.cslabs.clarkson.edu/ without it complaining about certificates.

Install SSSD

As root:

apt install sssd

The default configuration installs SSSD as an NSS and PAM provider, which suffices. It also starts, but does not create the configuration file, as documented below.

Configure SSSD

The following configuration is known to work:

config_file_version = 2
domains = cslabs.clarkson.edu
services = nss, pam

id_provider = ldap
ldap_uri = ldap://talos.cslabs.clarkson.edu
ldap_id_use_start_tls = true
ldap_search_base = dc=cslabs,dc=clarkson,dc=edu
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

auth_provider = krb5
chpass_provider = krb5
krb5_server = talos.cslabs.clarkson.edu
krb5_kpasswd = talos.cslabs.clarkson.edu
cache_credentials = true
enumerate = true

For your convenience, you should be able to get this from https://talos.cslabs.clarkson.edu/sssd.conf:

cd /etc/sssd
wget https://talos.cslabs.clarkson.edu/sssd.conf
chmod go-r sssd.conf

Note the last chmod—SSSD needs /etc/sssd/sssd.conf to be -rw------- and owned by root:root, or it will not load the configuration.

If the last wget fails on the certificate, check above to make sure you installed the OpenSSL CA certificate correctly.

Activate the Configuration

As root:

systemctl restart sssd

Test the Configuration

getent passwd

Be sure that you see the LDAP users in there.

Choose a username—yours will work, for example, but I'll use username illustratively—and do

su username

Since you're still root (right?), this will probably automatically succeed. From your new user shell, do again:

su username

Enter your password, and be sure you can log in.

If all goes well, you should have a new member of the Central Authentication pool. Congratulations!

Finishing Touches

It's not a bad idea to add the following lines to /etc/sudoers:

%admins        ALL=(ALL:ALL) ALL
%maintainers   ALL=(ALL:ALL) ALL

Formerly, we also recommended %services ALL=(ALL:ALL) NOPASSWD: ALL, but only if your service needs automated root logins (backup styles and centralized configuration management come to mind). If you don't need it, it's not worth the security hole.

Of course, adding any of these lines is up to you. Evaluate the security needs of your service as you do so—but consider also its survivability, and who you'd like to inherit its usage eventually.