Configure SSSD to cache LDAP credentials

When a laptop is using a LDAP directory for user authentication, you can't authenticate when the LDAP server is offline or the laptop is outside of the company network.

SSSD can be used to cache users information and credentials, so you can still login when the central LDAP is offline or can't be reached.

In this article the configuration of SSSD with LDAP directory is described.

Install SSSD from the repository:

yum install sssd

In order to configure your system to use sssd for user information, SSSD provides a new NSS module.
To use it, you need to configure NSS to use the sss name database along with the UNIX file database. Edit your /etc/nsswitch.conf:

passwd:     files sss
group:      files sss

The pam configuration has be extended with support for SSSD. On Fedora and Red Hat extend the file /etc/pam.d/system-auth, so it has the following entries:

auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient sha512 shadow nullok try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     required umask=0022 skel=/etc/skel/
session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     sufficient
session     required

The system-auth can also be generated by running:

authconfig --enablesssd --enablesssdauth --update --disableldap --disableldapauth

The options --disableldap and --disableldapauth are added, to make sure no direct LDAP authentication is done by PAM.

We are now ready to configure SSSD. The SSSD configuration can be found in /etc/sssd/sssd.conf.

The sssd.conf need to at least one configured domain in order to run.
In this example we will create a LDAP domain, which is using our LDAP server.

config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
domains = LDAP

debug_level = 5


id_provider = ldap
auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP administrator.
ldap_schema = rfc2307
ldap_uri = ldaps://
ldap_search_base = dc=example,dc=com
ldap_tls_reqcert = never
ldap_tls_cacert =  /etc/pki/tls/certs/ca-bundle.crt

# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
cache_credentials = true

To authenticate users it's required to enable use a secure connection to the LDAP server, so the LDAP server needs to be configure with TLS/SSL support.

When the LDAP server is configured with selfsigned SSL certificates, the option ldap_tls_reqcert can be set to never to disable failure on invalid certificate.

Start SSSD to check the configuration.
When the configuration is correct, you should be able to successfully login with a LDAP user on the machine. To check if the credentials are cached, the network connection can be disabled and now you should still be able to login to the machine with the user.

More information about configuring SSSD can also be found on: