1080*80 ad
Home » Blog » Setting up SSSD for OpenLDAP Authentication on CentOS 8

Setting up SSSD for OpenLDAP Authentication on CentOS 8

Benhcmark Administrator Benhcmark Administrator
04/12/2025
3 Views 0
Setting up SSSD for OpenLDAP Authentication on CentOS 8

A Step-by-Step Guide to SSSD and OpenLDAP Authentication on CentOS 8

Managing user accounts across multiple servers can quickly become a complex and error-prone task. A centralized authentication system is the solution, providing a single source of truth for user credentials and permissions. For Linux environments, combining OpenLDAP with the System Security Services Daemon (SSSD) on a platform like CentOS 8 creates a robust, secure, and efficient authentication framework.

SSSD is a modern daemon that offers significant advantages over older methods. It provides a stable and feature-rich interface for connecting a system to remote identity and authentication providers. Key benefits include offline authentication caching, reduced load on your LDAP server, and a more streamlined configuration process.

This guide will walk you through the essential steps to configure a CentOS 8 client to authenticate against an OpenLDAP server using SSSD.

Prerequisites

Before you begin, ensure you have the following:

  • A fully operational CentOS 8 server.
  • Root or sudo-level privileges on the server.
  • A running OpenLDAP server with users and groups already configured.
  • The connection details for your OpenLDAP server, including the server URI and the search base Distinguished Name (DN).

Step 1: Install Necessary SSSD and LDAP Packages

The first step is to install the required software packages. The SSSD suite, along with OpenLDAP client utilities, contains everything needed to connect to your directory server.

Open your terminal and execute the following command:

sudo dnf install sssd sssd-tools openldap-clients -y

This command installs:

  • sssd: The core SSSD daemon and its common modules.
  • sssd-tools: A collection of helpful command-line tools for managing and troubleshooting SSSD.
  • openldap-clients: Utilities for querying the OpenLDAP server, which are invaluable for testing.

Step 2: Configure the SSSD Client

With the packages installed, the next critical step is creating the SSSD configuration file. This file, located at /etc/sssd/sssd.conf, tells the SSSD daemon how to connect and interact with your OpenLDAP server.

Create and open the file with your preferred text editor:

sudo vi /etc/sssd/sssd.conf

Paste the following configuration template into the file, and then customize the values to match your specific environment.

[sssd]
services = nss, pam
config_file_version = 2
domains = default

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/default]
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap

# LDAP Server Connection Details
ldap_uri = ldap://ldap.yourdomain.com
ldap_search_base = dc=yourdomain,dc=com

# Use this for encrypted connections (recommended)
# ldap_tls_reqcert = allow
# ldap_tls_cacert = /etc/openldap/certs/ca.pem

# Enables creating home directories for LDAP users on their first login
create_homedir = true
default_shell = /bin/bash
homedir_template = /home/%u

# Improves performance by caching entries
cache_credentials = True

Key Configuration Parameters Explained:

  • [sssd] section: Defines the core services SSSD will provide (nss for name lookups and pam for authentication) and lists the authentication domains.
  • domains = default: Establishes a domain named “default” which is defined in the [domain/default] section.
  • [domain/default] section: This is where you configure the connection to your identity provider.
    • id_provider = ldap: Specifies that user identity information (like usernames, UIDs, and group memberships) comes from an LDAP server.
    • auth_provider = ldap: Specifies that user password verification will be handled by the same LDAP server.
    • ldap_uri: This is the address of your OpenLDAP server. Replace ldap://ldap.yourdomain.com with your server’s URI. For secure connections, use ldaps:// and configure the TLS settings.
    • ldap_search_base: This is the base DN of your LDAP directory. It tells SSSD where to start searching for users and groups. Replace dc=yourdomain,dc=com accordingly.
    • create_homedir = true: A highly useful feature that automatically creates a user’s home directory upon their first successful login.

Security Tip: The sssd.conf file can contain sensitive information. Once you have saved your configuration, it is crucial to set the correct permissions to prevent unauthorized access.

sudo chmod 600 /etc/sssd/sssd.conf

Step 3: Enable SSSD for System-Wide Authentication

After configuring SSSD, you need to tell the system to use it for authentication. On CentOS 8, the authselect command is the modern and preferred way to manage the system’s authentication profile.

Run the following command to select the SSSD profile and enable the automatic creation of home directories:

sudo authselect select sssd with-mkhomedir

This command modifies the necessary PAM (/etc/pam.d/) and NSS (/etc/nsswitch.conf) files, integrating SSSD deeply into the system’s login and user lookup processes.

Step 4: Start and Enable the SSSD Service

Now it’s time to bring the SSSD daemon online. You need to both start the service for the current session and enable it to launch automatically on system boot.

sudo systemctl start sssd
sudo systemctl enable sssd

To check the status of the service and ensure it started without errors, you can run:

sudo systemctl status sssd

Step 5: Verify the LDAP Integration

The final step is to verify that your system can successfully see and retrieve user information from the OpenLDAP server.

Use the id command to check for a user that exists in your LDAP directory but not locally on the machine.

id ldapuser

If the configuration is correct, you will see the user’s UID, GID, and group memberships returned from the LDAP server. A “no such user” message indicates a problem with your sssd.conf file or a connectivity issue.

You can also use the getent command for a more thorough check:

getent passwd ldapuser

This should return the user’s entry in a format similar to the local /etc/passwd file.

Common Troubleshooting Steps

If you encounter issues, here are a few things to check:

  1. Check SSSD Logs: The logs are your best friend. The main log file is /var/log/sssd/sssd.log, with specific logs for each domain (e.g., /var/log/sssd/sssd_default.log).
  2. Firewall Rules: Ensure that the firewall on your CentOS 8 client and the LDAP server allows traffic on the necessary ports (typically port 389 for LDAP and port 636 for LDAPS).
  3. SELinux: SELinux can sometimes block SSSD’s operations. Check the audit log with ausearch -m avc -ts recent to see if there are any denials related to sssd. If needed, you might have to adjust SELinux booleans.
  4. Configuration Syntax: A small typo in /etc/sssd/sssd.conf can prevent the service from starting. Double-check your ldap_uri and ldap_search_base values.

By successfully integrating SSSD with OpenLDAP, you have built a powerful, centralized authentication system that enhances security, simplifies user management, and provides a seamless login experience for your users.

Source: https://kifarunix.com/configure-sssd-for-openldap-authentication-on-centos-8/

900*80 ad

Related Articles
      1080*80 ad
      About Hosterdojo

      Hosterdojo reviews server performance, network capabilities, and other related benchmarks. If you are a provider interested in submitting your VPS products, feel free to reach out to me.

      Email: [email protected]
      Telegram Channel: https://t.me/hosterdojo

      Follow

      Useful Link

      Girl in a jacket