example_config: Add SSSD

* example_config: moving nslcd old guide to NSLCD.md * example_config: creating README for SSSD * example_config: creating sssd.conf * example_config: removing explicit links and adding a reference to the old NSLCD guide * example_config: fixing images in pam README * example_config: add how to enable automatic home directory creation * example_config: fixing typo in command to edit ssh config * example_config: using commments instead of line numbers for the example sssd.conf file --------- Co-authored-by: nitnelave <valentin@tolmer.fr>
2026-03-31 15:07:48 +01:00 · 2025-04-09 02:15:03 +01:00
parent 74dbba0bdc
commit 1f89059c84
3 changed files with 268 additions and 57 deletions
@@ -0,0 +1,90 @@
 # Configure lldap
 You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network
 this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without
 it.
 ```toml
 [ldaps_options]
 enabled=true
 port=6360
 cert_file="cert.pem"
 key_file="key.pem"
 ```
 You can generate an SSL certificate for it with the following command. The
 `subjectAltName` is REQUIRED. Make sure all domains are listed there, even your
 `CN`.
 ```sh
 openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=lldap.example.net" -addext "subjectAltName = DNS:lldap.example.net"
 ```
 # Install the client packages.
 This guide used `libnss-ldapd` (which is different from `libnss-ldap`).
 PURGE the following ubuntu packages: `libnss-ldap`, `libpam-ldap`
 Install the following ubuntu packages: `libnss-ldapd`, `nslcd`, `nscd`, `libpam-ldapd`
 # Configure the client's `nslcd` settings.
 Edit `/etc/nslcd.conf`. Use the [provided template](./nslcd.conf).
 You will need to set `tls_cacertfile` to a copy of the public portion of your
 LDAPS certificate, which must be available on the client. This is used to
 verify the LDAPS server identity.
 You will need to add the `binddn` and `bindpw` settings.
 The provided implementation uses custom attributes to mark users and groups
 that should be included in the system (for instance, you don't want LDAP
 accounts of other services to have a matching unix user).
 For users, you need to add an (integer) `unix-uid` attribute to the schema, and
 manually set the value for the users you want to enable to login with PAM.
 For groups, you need an (integer) `unix-gid` attribute, similarly set manually
 to some value.
 If you want to change this representation, update the `filter passwd` and
 `filter group` accordingly.
 You should check whether you need to edit the `pam_authz_search` setting. This
 is used after authentication, at the PAM `account` stage, to determine whether
 the user should be allowed to log in. If someone is an LDAP user, even if they
 use an SSH key to log in, they must still pass this check. The provided example
 will check for membership of a group named `YOUR_LOGIN_GROUP_FOR_THIS_MACHINE`.
 You should review the `map` settings. These contain custom attributes that you
 will need to add to lldap and set on your users.
 # Configure the client OS.
 Ensure the `nslcd` and `nscd` services are installed and running. `nslcd`
 provides LDAP NSS service. `nscd` provides caching for NSS databased. You want
 the caching.
 ```
 systemctl enable --now nslcd nscd
 ```
 Configure PAM to create the home directory for LDAP users automatically at
 first login.
 ```
 pam-auth-update --enable mkhomedir
 ```
 Edit /etc/nsswitch.conf and add "ldap" to the END of the "passwd" and "group"
 lines.
 You're done!
 ## Clearing nscd caches.
 If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`.
 [scripting]: https://github.com/lldap/lldap/blob/main/docs/scripting.md
@@ -1,10 +1,12 @@
-# Configure lldap
+# Getting Started with UNIX PAM using SSSD
-You MUST use LDAPS. You MUST NOT use plain ldap. Even over a private network
+## Configuring LLDAP
 this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without
 it.
-```toml
+### Configure LDAPS
 You **must** use LDAPS. You MUST NOT use plain LDAP. Even over a private network this costs you nearly nothing, and passwords will be sent in PLAIN TEXT without it.
 ```jsx
 [ldaps_options]
 enabled=true
 port=6360
@@ -12,79 +14,144 @@ cert_file="cert.pem"
 key_file="key.pem"
 ```
-You can generate an SSL certificate for it with the following command. The
+You can generate an SSL certificate for it with the following command. The `subjectAltName` is REQUIRED. Make sure all domains are listed there, even your `CN`.
 `subjectAltName` is REQUIRED. Make sure all domains are listed there, even your
 `CN`.
-```sh
+```bash
 openssl req -x509 -nodes -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 36500 -nodes -subj "/CN=lldap.example.net" -addext "subjectAltName = DNS:lldap.example.net"
 ```
-# Install the client packages.
+### Setting up the custom attributes
-This guide used `libnss-ldapd` (which is different from `libnss-ldap`).
+You will need to add the following custom attributes to the **user schema**.
-PURGE the following ubuntu packages: `libnss-ldap`, `libpam-ldap`
+- uidNumber (integer)
 - gidNumber (integer, multiple values)
 - homeDirectory (string)
 - unixShell (string)
 - sshPublicKey (string) (only if you’re setting up SSH Public Key Sync)
-Install the following ubuntu packages: `libnss-ldapd`, `nslcd`, `nscd`, `libpam-ldapd`
+You will need to add the following custom attributes to the **group schema.**
-# Configure the client's `nslcd` settings.
+- gidNumber (integer)
-Edit `/etc/nslcd.conf`. Use the [provided template](./nslcd.conf).
+You will now need to populate these values for all the users you wish to be able to login.
-You will need to set `tls_cacertfile` to a copy of the public portion of your
+## Client setup
 LDAPS certificate, which must be available on the client. This is used to
 verify the LDAPS server identity.
-You will need to add the `binddn` and `bindpw` settings.
+### Install the client packages
-The provided implementation uses custom attributes to mark users and groups
+You need to install the packages `sssd` `sssd-tools` `libnss-sss` `libpam-sss` `libsss-sudo` .
 that should be included in the system (for instance, you don't want LDAP
 accounts of other services to have a matching unix user).
-For users, you need to add an (integer) `unix-uid` attribute to the schema, and
+E.g. on Debian/Ubuntu
 manually set the value for the users you want to enable to login with PAM.
-For groups, you need an (integer) `unix-gid` attribute, similarly set manually
+```bash
-to some value.
+sudo apt update; sudo apt install -y sssd sssd-tools libnss-sss libpam-sss libsss-sudo
 If you want to change this representation, update the `filter passwd` and
 `filter group` accordingly.
 You should check whether you need to edit the `pam_authz_search` setting. This
 is used after authentication, at the PAM `account` stage, to determine whether
 the user should be allowed to log in. If someone is an LDAP user, even if they
 use an SSH key to log in, they must still pass this check. The provided example
 will check for membership of a group named `YOUR_LOGIN_GROUP_FOR_THIS_MACHINE`.
 You should review the `map` settings. These contain custom attributes that you
 will need to add to lldap and set on your users.
 # Configure the client OS.
 Ensure the `nslcd` and `nscd` services are installed and running. `nslcd`
 provides LDAP NSS service. `nscd` provides caching for NSS databased. You want
 the caching.
 ```
 systemctl enable --now nslcd nscd
 ```
-Configure PAM to create the home directory for LDAP users automatically at
+### Configure the client packages
 first login.
-```
+Use your favourite text editor to create/open the file `/etc/sssd/sssd.conf` .
-pam-auth-update --enable mkhomedir
+
 E.g. Using nano
 ```bash
 sudo nano /etc/sssd/sssd.conf
 ```
-Edit /etc/nsswitch.conf and add "ldap" to the END of the "passwd" and "group"
+Insert the contents of the provided template (sssd.conf), but you will need to change some of the configuration in the file. Comments have been made to guide you. The config file is an example if your LLDAP server is hosted at `lldap.example.com` and your domain is `example.com` with your dc being `dc=example,dc=com`.
 lines.
-You're done!
+SSSD will **refuse** to run if it’s config file is world-readable, so apply the following permissions to it:
-## Clearing nscd caches.
+```bash
 sudo chmod 600 /etc/sssd/sssd.conf
 ```
-If you want to manually clear nscd's caches, run `nscd -i passwd; nscd -i group`.
+Restart SSSD to apply any changes:
-[scripting]: https://github.com/lldap/lldap/blob/main/docs/scripting.md
+```bash
 sudo systemctl restart sssd
 ```
 Enable automatic creation of home directories
 ```bash
 sudo pam-auth-update --enable mkhomedir
 ```
 ## Permissions and SSH Key sync
 ### SSH Key Sync
 In order to do this, you need to setup the custom attribute `sshPublicKey` in the user schema. Then, you must uncomment the following line in the SSSD config file (assuming you are using the provided template):
 ```bash
 sudo nano /etc/sssd/sssd.conf
 ```
 ```jsx
 ldap_user_ssh_public_key = sshPublicKey
 ```
 And the following to the bottom of your OpenSSH config file:
 ```bash
 sudo nano /etc/ssh/sshd_config
 ```
 ```bash
 AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
 AuthorizedKeysCommandUser nobody
 ```
 Now restart both SSH and SSSD:
 ```bash
 sudo systemctl restart ssh
 sudo systemctl restart sssd
 ```
 ### Permissions Sync
 Linux often manages permissions to tools such as Sudo and Docker based on group membership. There are two possible ways to achieve this. 
 **Number 1**
 **If all your client systems are setup identically,** you can just check the group id of the local group, i.e. Sudo being 27 on most Debian and Ubuntu installs, and set that as the gid in LLDAP. For tools such as docker, you can create a group before install with a custom gid on the system, which must be the same on all, and use that GID on the LLDAP group
 Sudo
 ![image](https://github.com/user-attachments/assets/731847e6-c857-4250-a007-a3790a6a1b6d)
 Docker
 ```jsx
 sudo groupadd docker -g 722
 ```
 ![image](https://github.com/user-attachments/assets/face88d0-5a20-4442-a5e3-9f6a1ae41b68)
 **Number 2**
 Create a group in LLDAP that you would like all your users who have sudo access to be in, and add the following to the bottom of `/etc/sudoers` . 
 E.g. if your group is named `lldap_sudo`
 ```bash
 %lldap_sudo ALL=(ALL:ALL) ALL
 ```
 ## Debugging
 To verify your config file’s validity, you can run the following command
 ```jsx
 sudo sssctl config-check
 ```
 To flush SSSD’s cache
 ```jsx
 sudo sss_cache -E
 ```
 ## Final Notes
 To see the old guide for NSLCD, go to NSLCD.md.
@@ -0,0 +1,54 @@
 [sssd]
 config_file_version = 2
 # Change the domain below. It must match with the one in the [domain/] part
 domains = example.com
 [nss]
 [pam]
 # Put the same domain here
 [domain/example.com]
 id_provider = ldap
 auth_provider = ldap
 chpass_provider = ldap
 ldap_schema = rfc2307
 # Place your LDAP server url here
 ldap_uri = ldaps://lldap.example.com:6360/
 # Put your LDAP dc here
 ldap_search_base = dc=example,dc=com
 # Bind credentials
 # Bind user username (Should be in group lldap_strict_readonly)
 ldap_default_bind_dn = uid=binduser,ou=people,dc=example,dc=com
 # Bind user password
 ldap_default_authtok = bindpassword
 # TLS settings
 ldap_tls_reqcert = demand
 # Put the certificate you generate for LDAPS here
 ldap_tls_cacert = YOUR-LDAP-CERT
 # User mappings
 # Put your LDAP dc here
 ldap_user_search_base = ou=people,dc=example,dc=com
 ldap_user_object_class = posixAccount
 ldap_user_name = uid
 ldap_user_gecos = uid
 ldap_user_uid_number = uidNumber
 ldap_user_gid_number = gidNumber
 ldap_user_home_directory = homeDirectory
 ldap_user_shell = unixShell
 # Uncomment for SSH Key Sync setup
 #ldap_user_ssh_public_key = sshPublicKey
 # Group mappings
 # Put your LDAP dc here
 ldap_group_search_base = ou=groups,dc=example,dc=com
 ldap_group_object_class = groupOfUniqueNames
 ldap_group_name = cn
 ldap_group_member = uniqueMember
 access_provider = permit
 cache_credentials = true