Run the following command as root to configure PAM and NSS. Now start SSSD: # systemctl start sssd Configure NSS and PAM The following command will enable SSSD to start at boot time. # chmod 600 /etc/sssd/nf Enable and Start SSSD Set the permissions on the configuration file: # chown root:root /etc/sssd/nf # in the file defined by ldap_tls_cacert. # times on the certificate, and that it's signing chain ends with a CA # certificate's subject or an SAN, the current time is within the valid # that we are requiring the host portion of the URI to match the # This defines how sssd will handle server certificates. # The DN used to search your directory with. Ldap_default_bind_dn = cn=osproxy,ou=system,dc=tylersguides,dc=com # The file containing CA certificates you want sssd to trust. There are options for search bases for various types # The LDAP search base you want SSSD to use when looking Ldap_search_base = dc=tylersguides,dc=com # The URI(s) of the directory server(s) used by this domain. # that has an objectClass of posixAccount will be allowed access. # LDAP filter in this example will be allowed access. # These define the criteria the access provider uses to control who Ldap_access_filter = (objectClass=posixAccount) # don't meet the criteria provider by the access provider, they will be Even if a user successfully authenticates, if they # The access provider controls the source for determining who is allowed # By default, SSSD will use the value of id_provider. # As with identity providers, SSSD can authenticate in a variety of ways. # the domain's source of identity information. # such as LDAP, local files, and Active Directory. # SSSD can resolve user information from a number of different sources # The verbosity of this domains log file. # remove cached credentials, this option will cause them to expire # By default, the credential cache never expires. # domain is unavailable, users will still be able to login using the # authenticating a user, the credentials will be stored locally. # This enables or disables credential caching. As with the main section, 9 is maximum verbosity. # The verbosity of output and logging related to PAM requests. # A list of domains to check when a client makes a request. # Level 9 is the most detailed level available. # A separate process for each service is started The comments in the example explain what the various options do.
Install the SSSD packages: # yum install sssd Configure SSSD Create a Configuration FileĬreate the file /etc/sssd/nf with the following contents, replacing the highlighted portions with what is relevant to your system. If you follow my guides, do not skip TLS configuration. If not, you can always follow my guides on installing OpenLDAP and configuring it for Linux authentication. I am going to assume you have a directory server up and running. I consider the biggest advantage of SSSD is the ability to cache credentials.
While I prefer nss-pam-ldapd for authentication and password resolution on Linux systems, sssd has a few advantages.