When a laptop is using a LDAP directory for user authentication, you can't authenticate when the LDAP server is offline or the laptop is outside of the company network.
SSSD can be used to cache users information and credentials, so you can still login when the central LDAP is offline or can't be reached.
In this article the configuration of SSSD with LDAP directory is described.
Install SSSD from the repository:
yum install sssd
In order to configure your system to use sssd for user information, SSSD provides a new NSS module.
To use it, you need to configure NSS to use the sss name database along with the UNIX file database. Edit your /etc/nsswitch.conf:
passwd: files sss group: files sss
The pam configuration has be extended with support for SSSD. On Fedora and Red Hat extend the file /etc/pam.d/system-auth, so it has the following entries:
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel/ session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_sss.so session required pam_unix.so
The system-auth can also be generated by running:
authconfig --enablesssd --enablesssdauth --update --disableldap --disableldapauth
The options --disableldap and --disableldapauth are added, to make sure no direct LDAP authentication is done by PAM.
We are now ready to configure SSSD. The SSSD configuration can be found in /etc/sssd/sssd.conf.
The sssd.conf need to at least one configured domain in order to run.
In this example we will create a LDAP domain, which is using our LDAP server.
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP
debug_level = 5
id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP administrator.
ldap_schema = rfc2307
ldap_uri = ldaps://192.168.0.1
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_tls_cacert = /etc/pki/tls/certs/ca-bundle.crt
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true
To authenticate users it's required to enable use a secure connection to the LDAP server, so the LDAP server needs to be configure with TLS/SSL support.
When the LDAP server is configured with selfsigned SSL certificates, the option ldap_tls_reqcert can be set to never to disable failure on invalid certificate.
Start SSSD to check the configuration.
When the configuration is correct, you should be able to successfully login with a LDAP user on the machine. To check if the credentials are cached, the network connection can be disabled and now you should still be able to login to the machine with the user.
More information about configuring SSSD can also be found on: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/SSSD-Introduction.html