This article shows how to setup and enable SSSD for OneLogin VLDAP(Virtual LDAP).
See also:
- amazonlinux2_sssd_configurations_for_onelogin_vldap.md
- AmazonLinux2 SSSD Configurations for OneLogin VLDAP(Virtual LDAP)
- centos8_sssd_configurations_for_onelogin_vldap.md
- CentOS8 SSSD Configurations for OneLogin VLDAP(Virtual LDAP)
Reference:
Ansible based setup is available at ansible-galaxy.
- Prerequisites
- Install related packages
- Create Users directory on LDAP client server
- Add OneLogin gidNumber to etc group
- Add a group to sudoers
- Execute semanage
- Create and edit sssd conf
- Set ldap_default_authtok
- Execute authconfig
- Tests
- Logs in var log secure
Enable traffic of ports and ip addresses below. See OneLogin Domains and IP addresses | onelogin.service-now.com for details.
Port | Protocol | IP addresses |
---|---|---|
636 | TCP | 13.52.4.72/29 |
636 | TCP | 18.216.23.64/26 |
636 | TCP | 52.15.145.203/32 |
636 | TCP | 52.24.165.42/32 |
636 | TCP | 52.34.255.192/26 |
yum install sssd sssd-tools sssd-dbus oddjob oddjob-mkhomedir sssd-client sssd-ldap policycoreutils-python
Necessary because homeDirectory
is defined by OneLogin as '/Users/<cn>'
. See here for details.
mkdir /Users
<OneLogin gidNumber>
can be identifid with ldapsearch
command.
groupadd -g <OneLogin gidNumber> <Any group name>
Notes: Use command below to identify <OneLogin gidNumber>
.
ldapsearch -H "ldaps://ldap.us.onelogin.com" -x\
-D "cn=<privileged user's cn>,ou=users,dc=<your sub domain>,dc=onelogin,dc=com"\
-W -b "ou=users,dc=<your sub domain>,dc=onelogin,dc=com"
Add <Any group name>
to sudoers.
visudo
# Add below.
%<Any group name> ALL=(ALL) NOPASSWD: ALL
Reference: CHAPTER 6. ENABLING CUSTOM HOME DIRECTORIES USING AUTHCONFIG | access.redhat.com
semanage fcontext -a -e /home /Users
restorecon -R -v /Users
Remark: /etc/sssd/sssd.conf
does not exist by default.
touch /etc/sssd/sssd.conf
chown root:root /etc/sssd/sssd.conf
chmod 600 /etc/sssd/sssd.conf
vim /etc/sssd/sssd.conf
Edit as below.
Remark: This example specifies ldap_default_authtok_type = obfuscated_password
to avoid writing down a plain text password at ldap_default_authtok
. We generate obfuscated password at the following step.
[sssd]
#debug_level = 8
config_file_version = 2
domains = my_ldap_domain
services = nss, sudo, pam, autofs, ifp, ssh
[domain/my_ldap_domain]
#debug_level = 8
access_provider = permit
auth_provider = ldap
autofs_provider = ldap
cache_credentials = true
case_sensitive = false
chpass_provider = ldap
fallback_homedir = /Users/%u
id_provider = ldap
ldap_default_authtok_type = obfuscated_password
ldap_default_bind_dn = cn=<privileged user's cn>,ou=users,dc=<your sub domain>,dc=onelogin,dc=com
ldap_group_object_class = groupOfNames
ldap_group_search_base = ou=groups,dc=<your sub domain>,dc=onelogin,dc=com
ldap_id_use_start_tls = false
ldap_search_base = ou=users,dc=<your sub domain>,dc=onelogin,dc=com
ldap_tls_reqcert = hard
ldap_uri = ldaps://ldap.us.onelogin.com
ldap_user_object_class = inetOrgPerson
ldap_user_search_base = ou=users,dc=<your sub domain>,dc=onelogin,dc=com
sudo_provider = ldap
# and the other params...
[nss]
#debug_level = 8
homedir_substring = /Users
# and the other params...
[pam]
#debug_level = 8
offline_credentials_expiration = 0
# and the other params...
[sudo]
#debug_level = 8
# and the other params...
[autofs]
[ssh]
[pac]
[ifp]
By this operation, ldap_default_authtok
is automatically generated.
sss_obfuscate -d <domain name>
authconfig\
--enablesssd\
--enablesssdauth\
--enablelocauthorize\
--disableldap\
--disableldapauth\
--disableldaptls\
--enablemkhomedir\
--update
Enable and restart sssd and oddjobd.
systemctl enable --now sssd
systemctl restart sssd
systemctl enable --now oddjobd
systemctl restart oddjobd
sssctl domain-status <your domain>
Online status
should be Online
.
[root@sssdcentos7 ~]# sssctl domain-status <your domain>
Online status: Online
Active servers:
LDAP: <ldap server>
Discovered LDAP servers:
- <ldap server>
sssctl user-checks <ldap user>
User info should be output.
[root@sssdcentos7 ~]# sssctl user-checks <ldap user>
user: <ldap user>
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: <ldap user>
- user id: xxxxxx
- group id: xxxxxx
- gecos: xxxxxx
- home directory: /Users/xxxxxx
- shell: /bin/bash
SSSD InfoPipe user lookup result:
- name: <ldap user>
- uidNumber: xxxxxx
- gidNumber: xxxxxx
- gecos: xxxxxx
- homeDirectory: /Users/xxxxxx
- loginShell: /bin/bash
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
id <ldap user>
User info should be output.
[root@sssdcentos7 ~]# id <ldap user>
uid=xxxxxx(<ldap user>) gid=xxxxxx(xxxxxx) groups=xxxxxx(xxxxxx)
su <ldap user>
You should be able to change user and home dir should be created automatically.
[root@sssdcentos7 ~]# su <ldap user>
[<ldap user>@sssdcentos7 root]$ cd ~
[<ldap user>@sssdcentos7 ~]$ pwd
/Users/<ldap user>
ll /Users
Home directory of LDAP user should be created.
[<ldap user>@sssdcentos7 ~]$ ll /Users
total 0
drwx------. 2 <ldap user> <group name> 62 Jan 12 17:45 <ldap user>
ssh -l <LDAP User> <IP Address or Hostname of LDAP Client>
SSH should be available.
hallowelt@2021-01-12T17:46:23>>> ssh -l <ldap user> xxx.xxx.xxx.xxx
<ldap user>@xxx.xxx.xxx.xxx's password:
Last login: Tue Jan 12 17:45:40 2021
[<ldap user>@sssdcentos7 ~]$
sudo <Some commands...>
sudo should be executable.
[<ldap user>@sssdcentos7 ~]$ sudo tail /var/log/messages | tail -1
Jan 12 17:56:26 sssdcentos7 systemd: Started Locale Service.
Activities of <LDAP User>
is traced properly.
[root@sssdcentos7 ~]# tail /var/log/secure
...
Jan 12 17:58:37 sssdcentos7 sshd[3762]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=xxx.xxx.xxx.xxx user=<ldap user>
Jan 12 17:58:37 sssdcentos7 sshd[3762]: Accepted password for <ldap user> from xxx.xxx.xxx.xxx port 49798 ssh2
Jan 12 17:58:37 sssdcentos7 sshd[3762]: pam_unix(sshd:session): session opened for user <ldap user> by (uid=0)
Jan 12 17:58:39 sssdcentos7 sshd[3764]: Received disconnect from xxx.xxx.xxx.xxx port 49798:11: disconnected by user
Jan 12 17:58:39 sssdcentos7 sshd[3764]: Disconnected from xxx.xxx.xxx.xxx port 49798
Jan 12 17:58:39 sssdcentos7 sshd[3762]: pam_unix(sshd:session): session closed for user <ldap user>
...
All done!