How to Configure SSSD for LDAP Authentication on Ubuntu 22.04: A Comprehensive Guide
Centralizing user authentication is a cornerstone of efficient and secure system administration. By connecting your Ubuntu 22.04 servers to an LDAP directory, you can streamline user management, enforce consistent access policies, and simplify onboarding and offboarding processes. The System Security Services Daemon (SSSD) is the modern, robust tool for bridging this gap, providing a reliable and cache-enabled link between your Linux systems and a central LDAP server.
This guide will walk you through the complete process of setting up SSSD for LDAP authentication on Ubuntu 22.04. We’ll cover everything from installation to verification, ensuring you have a production-ready configuration.
Prerequisites
Before you begin, ensure you have the following information and access:
- An Ubuntu 22.04 server with
sudoor root privileges. - A functioning LDAP server.
- The LDAP server URI (e.g.,
ldap://ldap.yourdomain.com). - The Base Distinguished Name (DN) for your directory (e.g.,
dc=yourdomain,dc=com).
Step 1: Install SSSD and Supporting Packages
First, update your package index and install the necessary software. SSSD and its related tools are available directly from Ubuntu’s official repositories.
Open your terminal and run the following command:
sudo apt update
sudo apt install sssd sssd-tools ldap-utils
- sssd: The core daemon that manages authentication and identity.
- sssd-tools: Provides command-line utilities like
sssctlfor managing and troubleshooting SSSD. - ldap-utils: Includes helpful tools like
ldapsearchfor testing connectivity and querying your LDAP server directly.
Step 2: Create and Configure the SSSD Configuration File
The heart of your setup is the SSSD configuration file, located at /etc/sssd/sssd.conf. This file does not exist by default, so you will need to create it.
Create the file using your preferred text editor, such as nano or vim:
sudo nano /etc/sssd/sssd.conf
Paste the following template into the file. You must replace the placeholder values (like yourdomain.com and the server URI) with your specific LDAP environment details.
[sssd]
services = nss, pam
config_file_version = 2
domains = yourdomain.com
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/yourdomain.com]
# General Settings
id_provider = ldap
auth_provider = ldap
cache_credentials = True
default_shell = /bin/bash
fallback_homedir = /home/%u
# LDAP Server Connection
ldap_uri = ldaps://ldap.yourdomain.com
ldap_search_base = dc=yourdomain,dc=com
# Identity and Schema Settings
ldap_id_use_start_tls = True
ldap_tls_reqcert = allow
ldap_schema = rfc2307
ldap_user_object_class = inetOrgPerson
ldap_user_fullname = cn
ldap_user_gecos = cn
# Authentication Settings
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = false
Key Configuration Options Explained:
domains: Specifies the authentication domain. This should match the section header (e.g.,[domain/yourdomain.com]).id_provider = ldap: Tells SSSD to use LDAP for retrieving user and group information (UIDs, GIDs, home directories).auth_provider = ldap: Configures SSSD to use LDAP for verifying passwords.cache_credentials = True: This is a crucial feature. It allows users to log in even if the LDAP server is temporarily unreachable by caching their credentials.ldap_uri: The address of your LDAP server. Usingldaps://is highly recommended for encrypted communication. If you must use unencrypted LDAP, useldap://and setldap_id_use_start_tls = False.ldap_search_base: The starting point in the LDAP directory tree where SSSD will search for users and groups.ldap_tls_reqcert = allow: This setting determines how SSSD handles the LDAP server’s TLS certificate.allowis suitable for testing or with self-signed certificates. For production,demandis the most secure option, requiring a valid, trusted certificate.
Step 3: Secure the Configuration File
The sssd.conf file may contain sensitive information, such as a bind password if you choose to use one. It is critical to set strict file permissions so that only the root user can read or write to it.
sudo chmod 600 /etc/sssd/sssd.conf
This command sets the permissions to read/write for the owner (root) and removes all permissions for groups and others.
Step 4: Integrate SSSD with the System (PAM and NSS)
Now you need to tell the operating system to use SSSD for authentication and identity lookups. This is done by modifying the Pluggable Authentication Modules (PAM) and Name Service Switch (NSS) configurations.
The easiest and safest way to do this on Ubuntu is with the pam-auth-update utility.
sudo pam-auth-update
An interactive screen will appear. Ensure that you enable “SSSD Authentication” by navigating to it with the arrow keys and pressing the spacebar to select it ([*]). Leave other profiles as they are unless you have specific needs. Tab to <Ok> and press Enter.
This command automatically reconfigures the necessary PAM files to use SSSD.
Step 5: Start and Enable the SSSD Service
With the configuration in place, you can now start the SSSD daemon and enable it to launch automatically on system boot.
sudo systemctl restart sssd
sudo systemctl enable sssd
Restarting the service applies your new configuration. Enabling it ensures your LDAP integration persists across reboots.
Step 6: Verify the LDAP Integration
The final step is to test that everything is working correctly. You can do this by querying for an LDAP user from your Ubuntu client.
Use the id command to check if the system can retrieve user information for a known LDAP user:
id ldapuser
If successful, you will see output showing the user’s UID, GID, and group memberships, for example:
uid=1001(ldapuser) gid=1001(ldapusers) groups=1001(ldapusers)
You can also use getent to verify the user entry in the password database:
getent passwd ldapuser
This should return the user’s entry in the standard /etc/passwd format, confirming that NSS is working through SSSD.
Finally, the ultimate test is to log in as the LDAP user, either through SSH from another machine or at the local console.
ssh ldapuser@your_ubuntu_server_ip
If you can log in successfully, your Ubuntu 22.04 system is now fully integrated with your LDAP directory using SSSD. You have successfully centralized your user authentication, creating a more manageable and secure environment.
Source: https://kifarunix.com/configure-sssd-for-ldap-authentication-on-ubuntu-22-04/
