The System Security Services Daemon (SSSD) is a daemon that manages identity data retrieval and authentication on a RedHat EnterpriseLinux host. A system administrator can configure the host to use a standalone LDAP server as the user account database. The administrator can also specify the requirement that the connection with the LDAP server must be encrypted with a TLS certificate.
Note
The SSSD configuration option to enforce TLS, ldap_id_use_start_tls, defaults to false. When using ldap:// without TLS for identity lookups, it can pose a risk for an attack vector, namely a man-in-the-middle (MITM) attack which could allow you to impersonate a user by altering, for example, the UID or GID of an object returned in an LDAP search.
Ensure that your setup operates in a trusted environment and decide if it is safe to use unencrypted communication for id_provider = ldap. Note id_provider = ad and id_provider = ipa are not affected as they use encrypted connections protected by SASL and GSSAPI.
If it is not safe to use unencrypted communication, you should enforce TLS by setting the ldap_id_use_start_tls option to true in the /etc/sssd/sssd.conf file.
3.1.An OpenLDAP client using SSSD to retrieve data from LDAP in an encrypted way
The authentication method of the LDAP objects can be either a Kerberos password or an LDAP password. Note that the questions of authentication and authorization of the LDAP objects are not addressed here.
Important
Configuring SSSD with LDAP is a complex procedure requiring a high level of expertise in SSSD and LDAP. Consider using an integrated and automated solution such as Active Directory or RedHat IdentityManagement (IdM) instead. For details about IdM, see Planning Identity Management.
3.2.Configuring SSSD to use LDAP and require TLS authentication
Complete this procedure to configure your RedHat EnterpriseLinux (RHEL) system as an OpenLDAP client.
Use the following client configuration:
- The RHEL system authenticates users stored in an OpenLDAP user account database.
- The RHEL system uses the System Security Services Daemon (SSSD) service to retrieve user data.
- The RHEL system communicates with the OpenLDAP server over a TLS-encrypted connection.
Note
You can alternatively use this procedure to configure your RHEL system as a client of a RedHat Directory Server.
Prerequisites
- The OpenLDAP server is installed and configured with user information.
- You have root permissions on the host you are configuring as the LDAP client.
- On the host you are configuring as the LDAP client, the
/etc/sssd/sssd.conffile has been created and configured to specifyldapas theautofs_providerand theid_provider. - You have a PEM-formatted copy of the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server certificate, stored in a local file named
core-dirsrv.ca.pem.
Procedure
Install the requisite packages:
# dnf -y install openldap-clients sssd sssd-ldap oddjob-mkhomedir
Switch the authentication provider to
sssd:# authselect select sssd with-mkhomedir
Copy the
core-dirsrv.ca.pemfile containing the root CA signing certificate chain from the Certificate Authority that issued the OpenLDAP server’s SSL/TLS certificate into the/etc/openldap/certsfolder.# cp core-dirsrv.ca.pem /etc/openldap/certs
Add the URL and suffix of your LDAP server to the
/etc/openldap/ldap.conffile:URI ldap://ldap-server.example.com/BASE dc=example,dc=com
In the
/etc/openldap/ldap.conffile, add a line pointing the TLS_CACERT parameter to/etc/openldap/certs/core-dirsrv.ca.pem:# When no CA certificates are specified the Shared System Certificates# are in use. In order to have these available along with the ones specified# by TLS_CACERTDIR one has to include them explicitly:TLS_CACERT /etc/openldap/certs/core-dirsrv.ca.pemIn the
/etc/sssd/sssd.conffile, add your environment values to theldap_uriandldap_search_baseparameters and set theldap_id_use_start_tlstoTrue:[domain/default]id_provider = ldapautofs_provider = ldapauth_provider = ldapchpass_provider = ldapldap_uri = ldap://ldap-server.example.com/ldap_search_base = dc=example,dc=comldap_id_use_start_tls = Truecache_credentials = Trueldap_tls_cacertdir = /etc/openldap/certsldap_tls_reqcert = allow[sssd]services = nss, pam, autofsdomains = default[nss]homedir_substring = /home…
In
/etc/sssd/sssd.conf, specify the TLS authentication requirement by modifying theldap_tls_cacertandldap_tls_reqcertvalues in the[domain]section:…cache_credentials = Trueldap_tls_cacert = /etc/openldap/certs/core-dirsrv.ca.pemldap_tls_reqcert = hard…
Change the permissions on the
/etc/sssd/sssd.conffile:# chmod 600 /etc/sssd/sssd.conf
Restart and enable the SSSD service and the
oddjobddaemon:# systemctl restart sssd oddjobd# systemctl enable sssd oddjobd
(Optional) If your LDAP server uses the deprecated TLS 1.0 or TLS 1.1 protocols, switch the system-wide cryptographic policy on the client system to the LEGACY level to allow RHEL to communicate using these protocols:
# update-crypto-policies --set LEGACY
For more details, see the Strong crypto defaults in RHEL 8 and deprecation of weak crypto algorithms Knowledgebase article on the Red Hat Customer Portal and the
update-crypto-policies(8)man page.
Verification steps
Verify you can retrieve user data from your LDAP server by using the
idcommand and specifying an LDAP user:# id ldap_useruid=17388(ldap_user) gid=45367(sysadmins) groups=45367(sysadmins),25395(engineers),10(wheel),1202200000(admins)
The system administrator can now query users from LDAP using the id command. The command returns a correct user ID and group membership.
