OpenLDAP : LDAP Client (SSSD)2024/04/18

	This is the LDAP Client configuration example by using SSSD.
[1]	To use SSSD, it needs to configure SSL/TLS setting on LDAP server side, refer to here.
[2]	Install and configure SSSD.

root@node02:~ #

pkg install -y sssd pam_mkhomedir

root@node02:~ #

vi /usr/local/etc/sssd/sssd.conf

# create new
# replace to your domain suffix for [dc=***,dc=***] section

[sssd]
services = nss, pam
domains = default

[domain/default]
id_provider = ldap
autofs_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://dlp.srv.world/
ldap_search_base = dc=srv,dc=world
ldap_id_use_start_tls = True
ldap_tls_cacertdir = /etc/ssl/certs
cache_credentials = True
ldap_tls_reqcert = allow

[nss]
homedir_substring = /home

root@node02:~ #

chmod 600 /usr/local/etc/sssd/sssd.conf

root@node02:~ #

vi /etc/pam.d/system

# add like follows

# auth
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_sss.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass nullok

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_sss.so             no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_lastlog.so          no_fail
session         required        pam_mkhomedir.so        umask=0077

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

root@node02:~ #

vi /etc/pam.d/sshd

# add like follows

# auth
#auth           sufficient      pam_krb5.so             no_warn try_first_pass
#auth           sufficient      pam_ssh.so              no_warn try_first_pass
auth            sufficient      pam_sss.so              no_warn try_first_pass
auth            required        pam_unix.so             no_warn try_first_pass

# account
account         required        pam_nologin.so
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_sss.so             no_warn ignore_authinfo_unavail ignore_unknown_user
account         required        pam_unix.so

# session
#session        optional        pam_ssh.so              want_agent
session         required        pam_permit.so
session         required        pam_mkhomedir.so        umask=0077

# password
#password       sufficient      pam_krb5.so             no_warn try_first_pass
password        required        pam_unix.so             no_warn try_first_pass

root@node02:~ #

vi /etc/nsswitch.conf

# change like follows

#
# nsswitch.conf(5) - name service switch configuration file
#
group: files sss
group_compat: nis
hosts: files dns
netgroup: compat
networks: files
passwd: files sss
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files

root@node02:~ #

service sssd enable

sssd enabled in /etc/rc.conf
root@node02:~ #

service sssd start

Starting sssd.

root@node02:~ #

exit

FreeBSD/amd64 (node01.srv.world) (ttyu0)

login: freebsd      # LDAP user
Password:           # LDAP password

FreeBSD 14.0-RELEASE (GENERIC) #0 releng/14.0-n265380-f9716eee8ab4: Fri Nov 10 05:57:23 UTC 2023

Welcome to FreeBSD!

.....
.....

freebsd@node02:~ $    # logined

[3]	To change LDAP password by user itself, use ldappasswd command.

freebsd@node02:~ $

ldappasswd -H ldap://dlp.srv.world:389 -x -D "uid=freebsd,ou=people,dc=srv,dc=world" -W -a old_password -s new_password

Enter LDAP Password:

# input current LDAP password

freebsd@node02:~ $

Matched Content