SLE 12 and LDAP Authentication

SUSE Linux Enterprise Server SLES Configure-Administer
1

I have been using SLES for a while. Up to version SLES 11 (SP3), to configure LDAP as an authentication source for logins, you would launch the LDAP Client module in YaST, and configure appropriately. this would then make all of the necessary modifications to NSSwitch, etc, and allow local filesystem to also reflect ownership for LDAP users. This would also extend to configuring authentication for SAMBA users via LDAP.

In SLE 12, the LDAP modules have been renamed Authentication Server (LDAP Server) and Authentication Client. However, the Authentication Client does not reflect the options which were previously in the LDAP Client module.

I am unable to configure the system to use LDAP for users & groups. In tinkering around, I have managed to get it to recognize LDAP for users (in the Users & Group Management module), but it still only sees local groups.

I am trying to setup a SAMBA DC, which would handle file storage, and also be an authentication source for other services via LDAP. This used to be very straight-forward and I have multiple working configurations in versions up to 11SP3, but seems to have changed (drastically) in version 12.

I really need to configure the system to recognize LDAP as the authentication source for users and groups, and also to have the SAMBA module enabled by default when creating new users. Can anyone shed some light on how to accomplish this?

2

Yes drastically !

SLES12 now use the SSSD to connect to an external AUTH Service SSSD(System Security Services Daemon) → https://fedorahosted.org/sssd/
OpenLDAP is not recommendet anymore

In SLES11 we also used yast to configure openLDAP. Now we use file bast SSSD config

  1. SSSD.CONF

#>vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = [LDAPSERVER]

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/[LDAPSERVER]]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://[LDAPSERVER]:636
ldap_search_base = ou=XX
ldap_tls_cacert = /etc/ssl/certs/root.pem
ldap_tls_cacertdir = /etc/ssl/certs
#debug_level = 1
case_sensitive = false
create_homedir = true

ldap_network_timeout = 3
access_provider = ldap
ldap_access_filter = groupMembership=cn=LDAP-Users-

#ldap_schema = rfc2307 <<<<<<<<<<<<<<<<<<<<<<<< DEFAULT
#ldap_user_object_class = posixAccount <<<<<<<< DEFAULT
#ldap_user_name = uid <<<<<<<<<<<<<<<<<<<<<<<<< DEFAULT

  1. for sshd create homedir after login you need to use pam

#>pam-config --add --mkhomedir

Hope that helps !

Till

3

Thanks for the reply. Responses inline…

[QUOTE=tbrinkmann;25660]Yes drastically !

SLES12 now use the SSSD to connect to an external AUTH Service SSSD(System Security Services Daemon) → https://fedorahosted.org/sssd/
[COLOR=#ff0000]OpenLDAP is not recommended anymore[/COLOR][/QUOTE]

By this, I assume you mean a direct configuration to OpenLDAP as was done in nsswitch, as now the OpenLDAP “passes through” SSSD?

[QUOTE=tbrinkmann;25660]
In SLES11 we also used yast to configure openLDAP. Now we use file bast SSSD config

  1. SSSD.CONF

#>vi /etc/sssd/sssd.conf

[sssd]
config_file_version = 2
services = nss, pam
domains = [LDAPSERVER]

[nss]
filter_groups = root
filter_users = root

[pam]

[domain/[LDAPSERVER]]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldaps://[LDAPSERVER]:636
ldap_search_base = ou=XX
ldap_tls_cacert = /etc/ssl/certs/root.pem
ldap_tls_cacertdir = /etc/ssl/certs
#debug_level = 1
case_sensitive = false
create_homedir = true

ldap_network_timeout = 3
access_provider = ldap
ldap_access_filter = groupMembership=cn=LDAP-Users-

#ldap_schema = rfc2307 <<<<<<<<<<<<<<<<<<<<<<<< DEFAULT
[COLOR=#000000]#ldap_user_object_class = posixAccount <<<<<<<< DEFAULT[/COLOR]
#ldap_user_name = uid <<<<<<<<<<<<<<<<<<<<<<<<< DEFAULT

  1. for sshd create homedir after login you need to use pam

#>pam-config --add --mkhomedir

Hope that helps !

Till[/QUOTE]

Some clarification needed.

In the /etc/sssd/sssd.conf file, you suggest[INDENT][sssd]
config_file_version = 2
services = nss, pam
[COLOR=#ff0000]domains = [LDAPSERVER][/COLOR]

[/INDENT]
Is the "domains = " line to indicate the hostname/IP of the LDAP server, or the LDAPdomain (as indicated by the base dc= option?[INDENT][COLOR=#ff0000]ldap_search_base = ou=XX[/COLOR][/INDENT]

What is that base? is it the “ou=users,dc=example,dc=com”, or it is just the “dc=example,dc=com”[INDENT]
[COLOR=#ff0000]ldap_access_filter = groupMembership=cn=LDAP-Users-[/COLOR]
[/INDENT]

Not sure I get this one, as I don’t see this attribute (groupMembership) in my ldap

Could or should I be using the option: [COLOR=#ff0000]ldap_access_filter = ou=Users,dc=example,dc=com[/COLOR][COLOR=#000000] since all users would belong to this OU?
[/COLOR][COLOR=#000000][INDENT]#[COLOR=#ff0000]ldap_schema = rfc2307[/COLOR] <<<<<<<<<<<<<<<<<<<<<<<< DEFAULT
[COLOR=#000000]#ldap_user_object_class = posixAccount <<<<<<<< DEFAULT[/COLOR]
#ldap_user_name = uid <<<<<<<<<<<<<<<<<<<<<<<<< DEFAULT[/INDENT]

For correct group membership in order to get the member: attribute, should I use rfc2307bis ldap_schema instead? Thanks again for the response, and hopefully, with those pointers I will be able to get the issue sorted out. [/COLOR][COLOR=#000000][FONT=monospace]
[/FONT][/COLOR][COLOR=#000000][FONT=monospace]
[/FONT][/COLOR][COLOR=#555555][FONT=monospace]
[/FONT][/COLOR]

4

Re,

By this, I assume you mean a direct configuration to OpenLDAP as was done in nsswitch, as now the OpenLDAP “passes through” SSSD?
Yes, here you can see my nsswitch.conf I forgot in the first post.

passwd: compat sss
group: compat sss

domains = [LDAPSERVER]

Refer to the configuration block I chaned if to mask my configuration.

[sssd]
config_file_version = 2
services = nss, pam
domains = myldapserver

[domain/myldapserver]
ldap_uri = …

ldap_uri = <<<<<<<<<<<<<<<<<<<<<<<<<<<<<< LDAP IP/HOSTNAME:PORT
ldap_search_base <<<<<<<<<<<<<<<<<<<<<<<< BASE DN “ou=users,dc=example,dc=com”

The ldap_access_filter is our search parameter for users that have access to the host. GROUPNAME+BaseDB in my point.
Without that parameter all users from the ou=users will have access to that server but we need just a few users(only the DBAs) to have access
to that server. So we create a LDAP usergroup LDAP-Users-MYDATABASESERVER1. You do not need that option if all users from the OU
will have to access to the server.

#ldap_schema was just for me to understand the default value. If you need another one please read the documentation or just try
to configure
ldap_schema = rfc2307bis

Greetings *T

5

Ok, after much off-thread troubleshooting with the amazing folks on the TTP ListServ, we’ve got a working setup, which I will document here for others to benefit from:

edit /etc/nsswitch.conf, set:
passwd: compat sss
group: compat sss

edit /etc/sssd/sssd.conf, contents:

[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP

[nss]
filter_users = root
filter_groups = root

[pam]

[domain/LDAP]

id_provider = ldap
auth_provider = ldap

enumerate = False
cache_credentials = True
case_sensitive = False

ldap_schema = rfc2307bis
ldap_user_name = cn
ldap_uri = ldaps://ldap.millikin.edu
ldap_search_base = ou=base_ou,o=mu

ldap_id_use_start_tls = True

#debug_level = 7

ldap_tls_cacert = /etc/path/to/certs/rootcert.pem
ldap_tls_cacertdir = /etc/path/to/certs

ldap_default_bind_dn = cn=bind_user,ou=base_ou,o=mu
ldap_default_authtok_type = password
ldap_default_authtok = bind_user_password

ldap_user_member_of = groupMembership
ldap_group_name = cn

execute the following from root’s command line:
pam-config --add --mkhomedir
pam-config --add --sss
service nscd stop
chkconfig nscd off

Need to also copy the certificate details for the root cert into that rootcert.pem file mentioned in the config. In our case this included the root cert and two intermediate certificates.

6

my experience in SLES12 was that running

yast2 auth-client

and setting up an ldap domain did the essential things for me.

I fine-tuned the /etc/sssd/sssd.conf file then, but essentially, what Yast2 did was correct and sufficient.

The SLES12 security guide has fairly detailed instructions about how to setup sssd.

Cheers, Thomas

7

… agreed.

Deployment of the SSSD using YaST in SLES 12 is much more polished and will implement a basic working configuration reliably. The remaining hurdle with the SSSD seems to be conceptual and as more administrators become educated in the SSSD, it’s use cases and deployment this improves as well. SUSE continues to support YaST development for the daemon on it’s platform that improves functionality and usability for administrators, SSSD sessions at conferences and updated online documentation.

These forums help as well :slight_smile: .

– lawrence