Authentication using sssd

The sssd authentication in Ubuntu works pretty decently. You can use it basically with any directory-style backend, including OpenLDAP, Kerberos, RedHat's FreeIPA and Microsoft's Active Directory.

The good part about sssd is that it can be used to log into multiple directory services, so if you have some users in one directory, and the the rest in a different place, this works pretty decently in sssd.

You can use it for single-server deployments with plain LDAP with servers or workstations (where you could as well go with pam-ldap and nss-ldap), but also, or especially for more sophisticated setups.

Packages

What you basically need to install is sssd, libpam-sss and libnss-sss. sssd automatically modifies the PAM files with pam-auth-update and /etc/nsswitch.conf, so all that's left is to configure /etc/sssd/sssd.conf. You do not need any other NSS or PAM backend, you don't even need pam-mkhomedir, as sssd can do that too.

Configuration

Below you can find an example configuration of /etc/sssd/sssd.conf for Microsoft Active Directory with the RFC2307bis scheme (Windows 2003 R2 and newer). Note that you need to unix-enable the user accounts in AD for this one. Also, the ldaps protocol requires you to add the SSL certificates to the trusted SSL store. Make sure that the userPrincipalName is set correctly (it should be samaccountname@domainname, e.g. myusername@europe.example.com, NOT email-style like myusername@example.com nor name.surename@example.com).

[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3

[pam]
reconnection_retries = 3

[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = europe.example.com,asia.example.com

[domain/europe.example.com]
enumerate = false
cache_credentials = true

id_provider = ldap
#added, not sure about this one.
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldaps://dc1.europe.example.com,ldaps://dc2.europe.example.com
ldap_search_base = dc=europe,dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

krb5_realm = EUROPE.EXAMPLE.COM
dns_discovery_domain = EUROPE.EXAMPLE.COM

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_default_bind_dn = cn=europe-ldap-reader,cn=Users,dc=europe,dc=example,dc=com
ldap_default_authtok = secret
ldap_user_search_base = dc=europe,dc=example,dc=com
ldap_group_search_base = dc=europe,dc=example,dc=com

[domain/asia.example.com]
enumerate = false
cache_credentials = true

id_provider = ldap
#added, not sure about this one.
access_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldaps://dc1.asia.example.com,ldaps://dc2.asia.example.com
ldap_search_base = dc=asia,dc=example,dc=com
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/ssl/certs/ca-certificates.crt

krb5_realm = ASIA.EXAMPLE.COM
dns_discovery_domain = ASIA.EXAMPLE.COM

ldap_schema = rfc2307bis
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_user_object_class = user
ldap_user_name = sAMAccountName
ldap_user_fullname = displayName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_object_class = group
ldap_group_name = sAMAccountName
ldap_default_bind_dn = cn=asia-ldap-reader,cn=Users,dc=asia,dc=example,dc=com
ldap_default_authtok = secret
ldap_user_search_base = dc=asia,dc=example,dc=com
ldap_group_search_base = dc=asia,dc=example,dc=com

CategoryEnterprise CategoryEnterprise