41
edits
Changes
From SME Server
Jump to navigationJump to searchClient Authentication:Fedora via sssd/ldap (view source)
Revision as of 15:57, 18 October 2015
, 15:57, 18 October 2015Created page with "{{Warning box|This is based upon limited testing and a small number of users.}} ==Introduction== This how-to shows how to configure a SME-server (>=8b6) and a client Fedora (..."
{{Warning box|This is based upon limited testing and a small number of users.}}
==Introduction==
This how-to shows how to configure a SME-server (>=8b6) and a client Fedora (tested with F22 for this how-to) for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME. This way is more simple that the way via winbind [[Client Authentication:Fedora]]. Further more, the winbind method doesn't seem to work on a Fedora 22.
The SSSD authentication via LDAP allows to login with the SME-user accounts, even if the client machine is offline.
Nevertheless, I recommend to create a local user with the admin rights for the emergency case.
These lines are a translation and an application of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/fedora_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
==Configuration of the SME-server==
There is quite no necessary configuration of the SME.
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the certificates easier and to allow Fedora to accept a non-official certificate of the authentication.
==Configuration of the client Fedora==
===Installation===
Install the OS as usual, without any particularity.
===Add the necessary packages===
dnf install oddjob-mkhomedir sssd policycoreutils-python
===Preparare the /home folder===
The “/home” folders of the users will be placed at the same place as on the SME (/home/e-smith/fies/users).
This must be configured to avoid blocks from SELinux:
mkdir -p /home/e-smith/files/users/
semanage fcontext -a -e /home /home/e-smith/files/users
restorecon -R /home/e-smith/files/users
restorecon -R /var/lib/sss
===Acive and enable the oddjobd daemon===
This deamon will create the personal /home folders at the first login of the users.
systemctl start oddjobd.service
systemctl enable oddjobd.service
===Manage the CA of the SME===
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
Place another copy of the ca into /etc/pki/ca-trust/source/anchors/ and install the certificate system wide:
cp ~/download/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
(Note: to remove the ca systemwide: remove ca.crt from /etc/pki/ca-trust/source/anchors/ and run update-ca-trust again. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates:Testing#How_to_add_a_systemwide_CA)
===Configure SSSD===
The configuration is made by the file /ets/sssd/sssd.conf.
This file doesn't exist by default. Therefore it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a “iPasserelle”
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a “iPasserelle”
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF
chmod 600 /etc/sssd/sssd.conf
===Start and enable the daemon sssd===
*This daemon must be automatically started by running the client machine:
systemctl start sssd.service
systemctl enable sssd.service
{{Tip box|It is possible to debug by starting sssd manually:
systemctl stop sssd.service
sssd -i -d5
}}
*You should check that sss is set as a source in the /etc/nsswitch.conf. Normally it has been done automatically
[...]
passwd: files sss
shadow: files sss
group: files sss
[...]
===General configuration===
*The system must be configured in order to use sssd.
This is done very easily by using the tool authconfig:
authconfig --enablemkhomedir --enablesssd --enablesssdauth --update
*
getent passwd
should show you the users of the SME.
'''''If it doen't work:'''''
*check first of all if the password of the user “auth” is present in clear by the parameter “ldap_default_authtok” of /etc/sssd/sssd.conf.
*Further more, for tests and debug, you can set “ldap_tls_reqcert = never” to avoid problems due to a non accepted CA.
{{Warning box|It is not recommended to use this parameter for a production server!}}
{{Tip box|It is possible to give admin permissions to LDAP-users: on Fedora, members of the special, local "wheel" group will be admin, so just add your LDAP users to this group:
gpasswd -a <your ldap login> wheel}}
Thats all.
Enjoy!
==Introduction==
This how-to shows how to configure a SME-server (>=8b6) and a client Fedora (tested with F22 for this how-to) for a LDAP based SSSD authentication of the client machine on the configured user accounts of the SME. This way is more simple that the way via winbind [[Client Authentication:Fedora]]. Further more, the winbind method doesn't seem to work on a Fedora 22.
The SSSD authentication via LDAP allows to login with the SME-user accounts, even if the client machine is offline.
Nevertheless, I recommend to create a local user with the admin rights for the emergency case.
These lines are a translation and an application of the method given by Daniel: https://wikit.firewall-services.com/doku.php/tuto/ipasserelle/authentification/fedora_sssd_on_sme. Many thanks to him for it.
In this how-to: we assume that:
the host name of the SME is "sme-server" and the domain is "domain.tld".
==Configuration of the SME-server==
There is quite no necessary configuration of the SME.
*The only thing to do is to create a user (named "auth" in this how-to) via the server-manager and to give him a valid password ("something_very_secret" in the how-to).
It is not required to make "auth" member of any group.
*In addition, it is recommended to install and configure [[PHPki]] in order to make the managing of the certificates easier and to allow Fedora to accept a non-official certificate of the authentication.
==Configuration of the client Fedora==
===Installation===
Install the OS as usual, without any particularity.
===Add the necessary packages===
dnf install oddjob-mkhomedir sssd policycoreutils-python
===Preparare the /home folder===
The “/home” folders of the users will be placed at the same place as on the SME (/home/e-smith/fies/users).
This must be configured to avoid blocks from SELinux:
mkdir -p /home/e-smith/files/users/
semanage fcontext -a -e /home /home/e-smith/files/users
restorecon -R /home/e-smith/files/users
restorecon -R /var/lib/sss
===Acive and enable the oddjobd daemon===
This deamon will create the personal /home folders at the first login of the users.
systemctl start oddjobd.service
systemctl enable oddjobd.service
===Manage the CA of the SME===
after having installed phpki, go to https://www.domain.tld/phpki and download on the client machine the certificate of authority (ca.crt).
Place a copy of it into /etc/phpki/tls/certs/ and give the 644 permissions:
cp ~/download/ca.crt /etc/phpki/tls/certs/
chmod 644 /etc/phpki/tls/certs/ca.crt
Place another copy of the ca into /etc/pki/ca-trust/source/anchors/ and install the certificate system wide:
cp ~/download/ca.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
(Note: to remove the ca systemwide: remove ca.crt from /etc/pki/ca-trust/source/anchors/ and run update-ca-trust again. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates:Testing#How_to_add_a_systemwide_CA)
===Configure SSSD===
The configuration is made by the file /ets/sssd/sssd.conf.
This file doesn't exist by default. Therefore it has to be created and it needs to get the permissions 600 to allow the daemon to start:
cat <<'_EOF' > /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = LDAP
[nss]
[pam]
[domain/LDAP]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://sme-server.domain.tld
ldap_default_bind_dn = uid=auth,ou=Users,dc=domain,dc=tld
ldap_default_authtok = something_very_secret
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=tld
ldap_user_search_base = ou=Users,dc=domain,dc=tld
ldap_group_search_base = ou=Groups,dc=domain,dc=tld
ldap_user_object_class = inetOrgPerson
ldap_user_gecos = cn
ldap_tls_reqcert = hard
ldap_tls_cacert = /etc/pki/tls/certs/ca.crt
ldap_id_use_start_tls = true
# uncomment below if the SME is a “iPasserelle”
#ldap_user_shell = desktopLoginShell
# comment below if the SME is a “iPasserelle”
override_shell = /bin/bash
cache_credentials = true
enumerate = true
# It is possible to filter the logins via a LDAP-filer
# by commenting the both lines below.
# In this exemple, only the users member of the group netusers
# will be valid on this host.
# posixMemberOF is a parameter only for a iPasserelle
#access_provider = ldap
#ldap_access_filter = (|(posixMemberOf=admins)(uid=backup))
_EOF
chmod 600 /etc/sssd/sssd.conf
===Start and enable the daemon sssd===
*This daemon must be automatically started by running the client machine:
systemctl start sssd.service
systemctl enable sssd.service
{{Tip box|It is possible to debug by starting sssd manually:
systemctl stop sssd.service
sssd -i -d5
}}
*You should check that sss is set as a source in the /etc/nsswitch.conf. Normally it has been done automatically
[...]
passwd: files sss
shadow: files sss
group: files sss
[...]
===General configuration===
*The system must be configured in order to use sssd.
This is done very easily by using the tool authconfig:
authconfig --enablemkhomedir --enablesssd --enablesssdauth --update
*
getent passwd
should show you the users of the SME.
'''''If it doen't work:'''''
*check first of all if the password of the user “auth” is present in clear by the parameter “ldap_default_authtok” of /etc/sssd/sssd.conf.
*Further more, for tests and debug, you can set “ldap_tls_reqcert = never” to avoid problems due to a non accepted CA.
{{Warning box|It is not recommended to use this parameter for a production server!}}
{{Tip box|It is possible to give admin permissions to LDAP-users: on Fedora, members of the special, local "wheel" group will be admin, so just add your LDAP users to this group:
gpasswd -a <your ldap login> wheel}}
Thats all.
Enjoy!
