Simple SSSD Configuration with eDirectory on SUSE

Two Factor Authentication is a lofty goal for any linux administrator.  If you’re lucky enough to have access to an NetIQ eDirectory server, hardware based two factor authentication is closer than you think.

Tutorial on how to use SSSD (pronounced Triple “S” D) as a cross Linux platform (RHEL, SLES, Ubuntu, et. al) authentication agent instead of painful and often times disparate pam_ldap and sudoers configurations. Centralized user and group management using existing directory infrastructure. Learn how centrally store SSH key and sudoer configurations in LDAP. No more having to copy your SSH key to each new server. Create a SSH Key based single sign on solution. Your sudo commands are authenticated against your Directory. Expand the configuration of SSSD clients for 2 factor authentication using a HOTP configured YubiKey that does not require any changes on the authenticating client. Integration with eDirectory. Explore SSO Kerberized options with Active Directory and MIT Kerberos.

This is based from a presentation I gave at SUSECON 2016 in Washington D.C.   Right now it’s fairly unorganized and more as a place to gather my thoughts as I worked through developing my presentaion

Create a Bind Account for SSSD

In this case I’ve created cn=SSSDBInd,ou=service,o=gtopia

This account has read only rights to all the Users container in the tree.  This can be limited down to only the required attributes but for the sake of time we’ll skip that.   I may come back later and enhance this section.

This will be our user to bind with inside of SSSD because I do not want to allow anonymous searches on the Directory.

You will first need to ensure your LDAP server is capable of secure connections.   You will then need the Public self-signed certificate or the Public certificate of your Certificate Authority.

iManager CA Location

  1. Find the “Configure Certificate Authority” Task
  2. Open the certificates tab
  3. Select the Self Signed RSA Certificate
  4. Click Export
CA Certificate Export format
CA Certificate Export format

Save the file, (rename extension as .pem)

Upload the certificate to your client SSSD client.

Make the Certificate available to the whole system

  1. Copy certificate to /etc/ssl/certs
  2. Run the Hash Command to make it available in the hashed directory

susehost:/etc/ssl/certs # c_rehash /etc/ssl/certs/

This will rehash all the certificates in that folder and will be useful later.

Now that certificate is available you can configure the system ldap.conf file to use that certificate.

IF you don’t configure the ldap.conf file you get errors like this

Now you can try a test Search

This shows the server can really talk to LDAP outside of SSSD. Confirms working LDAP and pathing. So troubleshooting from here forward we know is only in SSSD land.

Configure sssd.conf

#pam-config –add –sss –mkhomedir

Add Posix Attributes to LDAP user

The schema must be extended before Attributes can be added, fortunatly the basic schema has been provided.

 

To do SUDO in sssd we must also extend the schema in LDAP for the SUDO attributes.  There is a schema provided that accomplishes this: /etc/openldap/schema/sudo.schema

unfortunatly this schema doesn’t work with the ndssch utility. Probably becuse this file isn’t well formed and not in the right format.   Here’s a good LDIF based schema file here:

 

Once that file is loaded into the ldap server then we can create SUDOERS rules in LDAP.

Check this out as you work on this step: https://www.sudo.ws/readme_ldap.html

Here’s a sample output of creating an LDIF from the sudoers file.

Create a sample user sudo command.

Here is the sssd.conf

Configuring SSH Keys in LDAP

Unless you’re using IPA, sshkeys in ldap cannot be done via sssd.   There is a very useful readme included.

debug: /usr/lib/ssh/ssh-ldap-helper -v -dd -s mark

Here is the Schema file suitable for loading sshPublicKeys into eDirectory.

 

You must configure an ldap.conf specifically for ssh.  This is useful in case something else mucks around with the openldap/ldap.conf file Here is all I needed in the /etc/ssh/ldap.conf

Add these lines to sshd_config

Test with the built in tools

 

 

Leave a comment

Your email address will not be published. Required fields are marked *