Centos – specify the Bind DN and password for sss+ldap

authenticationcentoscentos6ldapsssd

I'm trying sssd for LDAP authentication, and while it can show user IDs with the id command, getent group and getent passwd do not show LDAP names, and while I can chown files to ldap users, they ls -lah as nobody.

A bit of digging and I found a hint: that this problem may occur when binding LDAP anonymously.

But when I setup sss, there was no option to supply a bind DN or password. I was also unable to locate the correct directive in the manual.

Where do I specify the Bind DN and password for sss+ldap? Does it go in /etc/sssd/sssd.conf? Or another file?

Best Answer

You have to create a [domain] section in /etc/sssd/sssd.conf.

You could trawl through

man sssd-ldap

But it's quite a behemoth! This should get you stared. Not all directives here will be needed, depending on your environment.

[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
krb5_realm = EXAMPLE.COM
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=com,dc=br
debug_level = 3
id_provider = ldap
ldap_default_bind_dn = cn=Manager,dc=domain,dc=com,dc=br
min_id = 100
ldap_uri = ldap://<FQDN of LDAP Server>/
krb5_server = kerberos.example.com
ldap_default_authtok = xxxxxxxxxx
ldap_tls_cacertdir = /etc/openldap/cacerts

Related Solutions

LDAP – Secure Configuration of LDAP on CentOS 6 for User Authentication

Here is a couple of shell scripts that will install and configure openldap on a server and install and configure sssd for user authentication against the LDAP-server.

One that installs the LDAP-server with groups, users etc.

#!/bin/sh
###########################################################
# Install LDAP-server
###########################################################

# Enable SELinux for higher security.
setenforce 1
setsebool -P domain_kernel_load_modules 1

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Install all required packages.
yum -y install openldap-servers openldap-clients

# Create backend database.
cp /usr/share/doc/openldap-servers-2.4.19/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
chown -R ldap:ldap /var/lib/ldap

# Set password for cn=admin,cn=config (it's secret)
cat >> /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif << EOF
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
EOF

# Autostart slapd after reboot.
chkconfig slapd on

# Start ldap server
service slapd start

# Wait for slapd to start.
sleep 1

###########################################################
# General configuration of the server.
###########################################################

# Create folder to store log files in
mkdir /var/log/slapd
chmod 755 /var/log/slapd/
chown ldap:ldap /var/log/slapd/

# Redirect all log files through rsyslog.
sed -i "/local4.*/d" /etc/rsyslog.conf
cat >> /etc/rsyslog.conf << EOF
local4.*                        /var/log/slapd/slapd.log
EOF
service rsyslog restart

# Do the configurations.
ldapadd -H ldap://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF

# Setup logfile (not working now, propably needing debug level settings.)
dn: cn=config
changetype:modify
replace: olcLogLevel
olcLogLevel: config stats shell
-
replace: olcIdleTimeout
olcIdleTimeout: 30

# Set access for the monitor db.
dn: olcDatabase={2}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="cn=Manager,dc=syco,dc=net" read  by * none

# Set password for cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

# Change LDAP-domain, password and access rights.
dn: olcDatabase={1}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=syco,dc=net
-
replace: olcRootDN
olcRootDN: cn=Manager,dc=syco,dc=net
-
replace: olcRootPW
olcRootPW: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb
-
replace: olcAccess
olcAccess: {0}to attrs=employeeType by dn="cn=sssd,dc=syco,dc=net" read by self read by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
olcAccess: {2}to dn.base="" by * none
olcAccess: {3}to * by dn="cn=admin,cn=config" write by dn="cn=sssd,dc=syco,dc=net" read by self write by * none
EOF

##########################################################
# Configure sudo in ldap
#
# Users that should have sudo rights, are configured in
# in the ldap-db. The ldap sudo schema are not configured
# by default, and are here created.
#
# http://eatingsecurity.blogspot.com/2008/10/openldap-continued.html
# http://www.sudo.ws/sudo/man/1.8.2/sudoers.ldap.man.html
##########################################################

# Copy the sudo Schema into the LDAP schema repository
/bin/cp -f /usr/share/doc/sudo-1.7.2p2/schema.OpenLDAP /etc/openldap/schema/sudo.schema
restorecon /etc/openldap/schema/sudo.schema

# Create a conversion file for schema
mkdir ~/sudoWork
echo "include /etc/openldap/schema/sudo.schema" > ~/sudoWork/sudoSchema.conf

# Convert the "Schema" to "LDIF".
slapcat -f ~/sudoWork/sudoSchema.conf -F /tmp/ -n0 -s "cn={0}sudo,cn=schema,cn=config" > ~/sudoWork/sudo.ldif

# Remove invalid data.
sed -i "s/{0}sudo/sudo/g" ~/sudoWork/sudo.ldif

# Remove last 8 (invalid) lines.
head -n-8 ~/sudoWork/sudo.ldif > ~/sudoWork/sudo2.ldif

# Load the schema into the LDAP server
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret -f ~/sudoWork/sudo2.ldif

# Add index to sudoers db
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: olcDatabase={1}bdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: sudoUser    eq
EOF

###########################################################
# Create modules area
#
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib64/openldap/
EOF

###########################################################
# Add auditlog overlay.
#
# http://www.manpagez.com/man/5/slapo-auditlog/
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: auditlog.la

dn: olcOverlay=auditlog,olcDatabase={1}bdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcAuditLogConfig
olcOverlay: auditlog
olcAuditlogFile: /var/log/slapd/auditlog.log
EOF

###########################################################
# Add accesslog overlay.
#
# http://www.manpagez.com/man/5/slapo-accesslog/
#
# TODO: Didn't get it working.
#
###########################################################
# ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
# dn: cn=module,cn=config
# objectClass: olcModuleList
# cn: module
# olcModulePath: /usr/lib64/openldap/
# olcModuleLoad: access.la
#
#
# dn: olcOverlay=accesslog,olcDatabase={1}bdb,cn=config
# changetype: add
# olcOverlay: accesslog
# objectClass: olcOverlayConfig
# objectClass: olcAccessLogConfig
# logdb: cn=auditlog
# logops: writes reads
# # read log every 5 days and purge entries
# # when older than 30 days
# logpurge 180+00:00 5+00:00
# # optional - saves the previous contents of
# # person objectclass before performing a write operation
# logold: (objectclass=person)
# EOF

###########################################################
# Add pwdpolicy overlay
#
# http://www.zytrax.com/books/ldap/ch6/ppolicy.html
# http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&apropos=0&manpath=OpenLDAP+2.3-Release
# http://www.symas.com/blog/?page_id=66
###########################################################

ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=module{0},cn=config
changetype:modify
add: olcModuleLoad
olcModuleLoad: ppolicy.la

dn: olcOverlay=ppolicy,olcDatabase={1}bdb,cn=config
olcOverlay: ppolicy
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcPPolicyHashCleartext: TRUE
olcPPolicyUseLockout: FALSE
olcPPolicyDefault: cn=default,ou=pwpolicies,dc=syco,dc=net
EOF

##########################################################
# Add users, groups, sudoers. Ie. the dc=syco,dc=net database.
##########################################################
ldapadd  -H ldap:/// -x -D "cn=Manager,dc=syco,dc=net" -w secret  -f /opt/syco/doc/ldap/manager.ldif

###########################################################
# Create certificates
###########################################################

# Create CA
echo "00" > /etc/openldap/cacerts/ca.srl
openssl req -new -x509 -sha512 -nodes -days 3650 -newkey rsa:4096\
    -out /etc/openldap/cacerts/ca.crt \
    -keyout /etc/openldap/cacerts/ca.key \
    -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'

# Creating server cert
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/slapd.key \
    -out /etc/openldap/cacerts/slapd.csr \
    -subj '/O=syco/OU=System Console Project/CN=ldap.syco.net'
openssl x509 -req -sha512 -days 1095 \
    -in /etc/openldap/cacerts/slapd.csr \
    -out /etc/openldap/cacerts/slapd.crt \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key

#
# Customer create a CSR (Certificate Signing Request) file for client cert
#
openssl req -new -sha512 -nodes -days 1095 -newkey rsa:4096 \
    -keyout /etc/openldap/cacerts/client.key \
    -out /etc/openldap/cacerts/client.csr \
    -subj '/O=syco/OU=System Console Project/CN=client.syco.net'

#
# Create a signed client crt.
#
cat > /etc/openldap/cacerts/sign.conf << EOF
[ v3_req ]
basicConstraints = critical,CA:FALSE
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
EOF

openssl x509 -req -days 1095 \
    -sha512 \
    -extensions v3_req \
    -extfile /etc/openldap/cacerts/sign.conf \
    -CA /etc/openldap/cacerts/ca.crt \
    -CAkey /etc/openldap/cacerts/ca.key \
    -in /etc/openldap/cacerts/client.csr \
    -out /etc/openldap/cacerts/client.crt

# One file with both crt and key. Easier to manage the cert on client side.
cat /etc/openldap/cacerts/client.crt /etc/openldap/cacerts/client.key > \
    /etc/openldap/cacerts/client.pem

# Create hash and set permissions of cert
/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

# View cert info
# openssl x509 -text -in /etc/openldap/cacerts/ca.crt
# openssl x509 -text -in /etc/openldap/cacerts/slapd.crt
# openssl x509 -text -in /etc/openldap/cacerts/client.pem
# openssl req -noout -text -in /etc/openldap/cacerts/client.csr

###########################################################
# Configure ssl
#
# Configure slapd to only be accessible over ssl,
# with client certificate.
#
# http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
# http://www.openldap.org/faq/data/cache/185.html
###########################################################
ldapadd -H ldap:/// -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: demand
EOF

# Enable LDAPS and dispable LDAP
sed -i 's/[#]*SLAPD_LDAPS=.*/SLAPD_LDAPS=yes/g' /etc/sysconfig/ldap
sed -i 's/[#]*SLAPD_LDAP=.*/SLAPD_LDAP=no/g' /etc/sysconfig/ldap
service slapd restart

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Require higher security from clients.
###########################################################
ldapadd -H ldaps://ldap.syco.net -x -D "cn=admin,cn=config" -w secret << EOF
dn: cn=config
changetype:modify
replace: olcLocalSSF
olcLocalSSF: 128
-
replace: olcSaslSecProps
olcSaslSecProps: noanonymous,noplain

dn: cn=config
changetype:modify
replace: olcSecurity
olcSecurity: ssf=128
olcSecurity: simple_bind=128
olcSecurity: tls=128
EOF

###########################################################
# Open firewall
#
# Let clients connect to the server through the firewall.
# This is done after everything else is done, so we are sure
# that the server is secure before letting somebody in.
# TODO: Add destination ip
###########################################################
iptables -I INPUT -m state --state NEW -p tcp -s 10.100.110.7/24 --dport 636 -j ACCEPT

And one that installs sssd on the client, and connects to the LDAP-server.

#!/bin/sh
###########################################################
# Install LDAP-client
#
# This part should be executed on both LDAP-Server and
# on all clients that should authenticate against the
# LDAP-server
#
# This script is based on information from at least the following links.
#   http://www.server-world.info/en/note?os=CentOS_6&p=ldap&f=2
#   http://docs.fedoraproject.org/en-US/Fedora/15/html/Deployment_Guide/chap-SSSD_User_Guide-Introduction.html
#
###########################################################

###########################################################
# Uninstall sssd
#
# Note: Only needed if sssd has been setup before.
#       might need --skip-broken when installing sssd.
###########################################################
#yum -y remove openldap-clients sssd
#rm -rf /var/lib/sss/

###########################################################
# Install relevant packages
###########################################################
# Install packages
yum -y install openldap-clients

# Pick one package from the Continuous Release
# Version 1.5.1 of sssd.
yum -y install sssd --skip-broken
yum -y install centos-release-cr
yum -y update sssd
yum -y remove centos-release-cr

###########################################################
# Get certificate from ldap server
#
# This is not needed to be done on the server.
###########################################################
if [ ! -f /etc/openldap/cacerts/client.pem ];
then
    scp root@10.100.110.7:/etc/openldap/cacerts/client.pem /etc/openldap/cacerts/client.pem
fi

if [ ! -f /etc/openldap/cacerts/ca.crt ];
then
    scp root@10.100.110.7:/etc/openldap/cacerts/ca.crt /etc/openldap/cacerts/ca.crt
fi

/usr/sbin/cacertdir_rehash /etc/openldap/cacerts
chown -Rf root:ldap /etc/openldap/cacerts
chmod -Rf 750 /etc/openldap/cacerts
restorecon -R /etc/openldap/cacerts

###########################################################
# Configure client authenticate against ldap.
###########################################################
# Setup iptables before configuring sssd, so it can connect to the server.
iptables -I OUTPUT -m state --state NEW -p tcp -d 10.100.110.7 --dport 636 -j ACCEPT

# Communication with the LDAP-server needs to be done with domain name, and not
# the ip. This ensures the dns-name is configured.
sed -i '/^10.100.110.7.*/d' /etc/hosts
cat >> /etc/hosts << EOF
10.100.110.7 ldap.syco.net
EOF

# Configure all relevant /etc files for sssd, ldap etc.
authconfig \
    --enablesssd --enablesssdauth --enablecachecreds \
    --enableldap --enableldaptls --enableldapauth \
    --ldapserver=ldaps://ldap.syco.net --ldapbasedn=dc=syco,dc=net \
    --disablenis --disablekrb5 \
    --enableshadow --enablemkhomedir --enablelocauthorize \
    --passalgo=sha512 \
    --updateall

# Configure the client cert to be used by ldapsearch for user root.
sed -i '/^TLS_CERT.*\|^TLS_KEY.*/d' /root/ldaprc
cat >> /root/ldaprc  << EOF
TLS_CERT /etc/openldap/cacerts/client.pem
TLS_KEY /etc/openldap/cacerts/client.pem
EOF

###########################################################
# Configure sssd
###########################################################

# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf

cat >> /etc/sssd/sssd.conf << EOF
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
enumerate=true

# Configure client certificate auth.
ldap_tls_cert = /etc/openldap/cacerts/client.pem
ldap_tls_key = /etc/openldap/cacerts/client.pem
ldap_tls_reqcert = demand

# Only users with this employeeType are allowed to login to this computer.
access_provider = ldap
ldap_access_filter = (employeeType=Sysop)

# Login to ldap with a specified user.
ldap_default_bind_dn = cn=sssd,dc=syco,dc=net
ldap_default_authtok_type = password
ldap_default_authtok = secret
EOF

# Restart sssd
service sssd restart

# Start sssd after reboot.
chkconfig sssd on

###########################################################
# Configure the client to use sudo
###########################################################
sed -i '/^sudoers.*/d' /etc/nsswitch.conf
cat >> /etc/nsswitch.conf << EOF
sudoers: ldap files
EOF

sed -i '/^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl on.*\|^tls_cert.*\|^tls_key.*\|sudoers_debug.*/d' /etc/ldap.conf
cat >> /etc/ldap.conf << EOF
# Configure sudo ldap.
uri ldaps://ldap.syco.net
base dc=syco,dc=net
sudoers_base ou=SUDOers,dc=syco,dc=net
binddn cn=sssd,dc=syco,dc=net
bindpw secret
ssl on
tls_cacertdir /etc/openldap/cacerts
tls_cert /etc/openldap/cacerts/client.pem
tls_key /etc/openldap/cacerts/client.pem
#sudoers_debug 5
EOF

Provided are also an LDIF files that needs to be placed in the same folder as the above scripts.

# Filename: manager.ldif
###########################################################
# NEW DATABASE
###########################################################
dn: dc=syco,dc=net
objectClass: top
objectclass: dcObject
objectclass: organization
o: System Console Project
dc: syco
description: Tree root

# Used by sssd to ask general queries.
dn: cn=sssd,dc=syco,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: sssd
description: Account for sssd.
userPassword: {SSHA}OjXYLr1oZ/LrHHTmjnPWYi1GjbgcYxSb

###########################################################
# Add pwdpolicy overlay
# Need to be done before adding new users.
###########################################################
dn: ou=pwpolicies,dc=syco,dc=net
objectClass: organizationalUnit
objectClass: top
ou: policies

dn: cn=default,ou=pwpolicies,dc=syco,dc=net
cn: default
#objectClass: pwdPolicyChecker
objectClass: pwdPolicy
objectClass: person
objectClass: top
pwdAllowUserChange: TRUE
pwdAttribute: 2.5.4.35
#pwdCheckModule: crackcheck.so
#pwdCheckQuality: 2
pwdExpireWarning: 604800
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 0
pwdInHistory: 10
pwdLockout: TRUE
pwdLockoutDuration: 3600
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 3600
pwdMinLength: 12
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value
EOF

###########################################################
# GROUPS
###########################################################
dn: ou=group,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: group

dn: cn=sycousers,ou=group,dc=syco,dc=net
cn: sycousers
objectClass: posixGroup
gidNumber: 2000
memberUid: user1
memberUid: user2
memberUid: user3

dn: cn=sysop,ou=group,dc=syco,dc=net
cn: sysop
objectClass: posixGroup
gidNumber: 2001
memberUid: user1
memberUid: user2

dn: cn=management,ou=group,dc=syco,dc=net
cn: management
objectClass: posixGroup
gidNumber: 2002
memberUid: user1

###########################################################
# USERS
###########################################################
dn: ou=people,dc=syco,dc=net
objectClass: top
objectclass: organizationalunit
ou: people

dn: uid=user1,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user1
employeeType: Sysop
givenName: User1
surname: Syco
displayName: Syco User1
commonName: Syco User1
gecos: Syco User1
initials: SU
title: System Administrator (fratsecret)
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2001
gidNumber: 2000
homeDirectory: /home/user1
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: sycouser@syco.net
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user2,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user2
employeeType: Sysop
givenName: User2
surname: Syco
displayName: Syco User2
commonName: Syco User2
gecos: Syco User2
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2002
gidNumber: 2000
homeDirectory: /home/user2
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: sycouser@syco.net
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

dn: uid=user3,ou=people,dc=syco,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: user3
employeeType: Developer
givenName: User3
surname: Syco
displayName: Syco User3
commonName: Syco User3
gecos: Syco User3
initials: SU
title: System Administrator
userPassword: {CRYPT}frzelFSD.VhkI
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 2000
homeDirectory: /home/user3
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: sycouser@syco.net
postalCode: 666666
mobile: +46 (0)73 xx xx xx xx
homePhone: +46 (0)8 xx xx xx xx
postalAddress:

###########################################################
# SUDOERS
###########################################################
dn: ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: organizationalUnit
ou: SUDOers

dn: cn=defaults,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOptions go here
sudoOption: requiretty
sudoOption: always_set_home
sudoOption: env_reset
sudoOption: env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
sudoOption: env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
sudoOption: env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
sudoOption: env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
sudoOption: env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
sudoOption: secure_path=/sbin:/bin:/usr/sbin:/usr/bin

dn: cn=root,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

# Allow all sysops to execute anything
dn: cn=%sysop,ou=SUDOers,dc=syco,dc=net
objectClass: top
objectClass: sudoRole
cn: %sysop
sudoUser: %sysop
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

You will need to understand and edit the scripts before they are executed on your server. Amongst other things you need to customized for you installation is the things related to "syco.net", users, groups and passwords.

Ldap – SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groups

The approach of using id_provider=proxy and auth_provider=ldap is absolutely correct. You're hitting bug https://fedorahosted.org/sssd/ticket/2620 that we only fixed in the 1.13 release. It was a really simple fix, ask Ubuntu to cherry-pick it from upstream.

Best Answer

Related Solutions

LDAP – Secure Configuration of LDAP on CentOS 6 for User Authentication

Ldap – SSSD for LDAP user authentication only (just bind) on Ubuntu, local databases for uid and groups

Related Topic