While building infrastructure for computer club in my campus, I decided to use LDAP as authentication server. Everyone can use LDAP to log into every service our club have, isn’t that convenient.
Our main server runs Ubuntu Server, and I want to use LDAP to authenticate everyone, so they can have their own home directory, and else. But, when I googled “ubuntu ldap authentication”, most content online told me to install packages like libnss-ldap, libpam-ldap, and most of these content doesn’t tell you how to connect to LDAP server using TLS, or how to connect to LDAP server using binddn, so frustrating.
Thankfully, I found an article online, telling you how to connect to LDAP server using SSSD, and you can connect to LDAP with TLS and authentication. It’s much more stable than connecting to LDAP server using method above, and it’s configuration file is simple, too.
SSSD stands for System Security Services Daemon.
SSSD’s homepage says:
Its primary function is to provide access to local or remote identity and authentication resources through a common framework that can provide caching and offline support to the system. It provides several interfaces, including NSS and PAM modules or a D-Bus interface.
We are going to authenticate our user using a remote server, and we need to be able to use PAM to let user log into system. So far, SSSD got everything we need!
Install these packages:
sssd libpam-sss libnss-sss, install
sssd-tools if you need debugging.
Create a file
/etc/sssd/sssd.conf, and below is SSSD configuration, if you want to use LDAP authentication.
Save the file, and set permission to 0400, chown to root:root, then
systemctl enable sssd && systemctl start sssd
If everything is set correctly, run
getent passwd, then you should be able to see your accounts on LDAP server.
To let PAM use SSSD authentication, run
pam-auth-update, then enable
All done! It’s just that simple, and much easier than using libpam-ldap.