As a central source of user information, the EmpowerID Virtual Directory Server (VDS) can be leveraged as an authentication or identity provider for Linux servers. By making a few configuration changes, organizations can give users single sign-on capabilities to one or more Linux machines without requiring those users have accounts on those machines. In this way, organizations can simplify the processes for managing Linux users as the need for creating and maintaining accounts across multiple systems is negated. With the EmpowerID VDS, this information can be fully managed from one location—the EmpowerID Identity Warehouse.
Configuring LDAP authentication for Linux involves making a few configuration changes on each Linux machine for which you want to enable the feature. These changes include the following:
sudo apt-get install sssd sssd-tools
sudo yum install sssd sssd-tools
sudo vi /etc/nsswitch.conf
passwd: compat sss
group: compat sss
shadow: compat sss
...
services: db files sss
sudo vi /etc/nsswitch.conf
passwd: files sss
group: files sss
shadow: files sss
...
services: files sss
...
sudo vi /etc/ldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldaps://serverFQDN:port/
BASE o=empowerid
sudo vi /etc/openldap/ldap.conf
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
URI ldaps://serverFQDN:port/
BASE o=empowerid
sudo vi /etc/pam.d/common-account
# Add the following to the end of the file
account [default-bad success=ok user_unknow=ignore] pam_sss.so
sudo vi /etc/pam.d/common-auth
# Add the following after pam_unix
auth [success=1 default=ignore] pam_sss.so use_first_pass
sudo vi /etc/pam.d/common-password
# Add the following to the beginning of the Session section
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
# Add the following after pam_unix.so
session optional pam_sss.so
cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.orig && cp /etc/pam.d/password-auth-ac /etc/pam.d/password-auth-ac.orig
sudo vi /etc/pam.d/system-auth-ac
# In the auth section, after pam_succedd_if add the following:
auth sufficient pam_sss.so forward_pass
# In the account section, after pam_succeed_if add the following:
account [default=bad success=ok user_unknown=ignore] pam_sss.so
# In the password section, after pam_unix add the following:
password sufficient pam_sss.so use_authtok
# At the beginning of the session section, ensure the following is present:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel/
# In the session section, after pam_unix add the following:
session optional pam_sss.so
cp -f /etc/pam.d/system-auth-ac /etc/pam.d/password-auth-ac
sudo vi /etc/sssd/sssd.conf
sudo chmod 0600 /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = EmpowerID
[nss]
[pam]
[domain/EmpowerID]
#Debug and Enumeration should only be on for testing/troubleshooting
debug_level = 4
enumerate = True
case_sensitive = False
auth_provider = ldap
id_provider = ldap
chpass_provider = ldap
# Set access_provder to simple to allow everyone.
# Alternately, use ldap and set ldap_access_filter below
# access_provider = ldap
access_provider = simple
# Set LDAP servers here
ldap_uri = ldaps://serverFQDN:port
# Set the search bases
ldap_search_base = o=empowerid
ldap_user_search_base = cn=people,o=empowerid
# bind credentials
# Run sss_obfuscate to make the password less readable
#ldap_default_bind_dn = cn=proxyuser,ou=Service Accounts,o=empowerid
#ldap_default_authtok = p@$$word
#ldap_default_authtok_type = password
# Set any attribute mappings needed here
ldap_user_object_class = eidPerson
ldap_user_name = uid
ldap_user_uid_number = uidNumber
ldap_user_gid_number = gidNumber
ldap_user_fullname = gecos
ldap_user_home_directory = homeDirectory
ldap_group_object_class = eidGroup
ldap_group_name = cn
# If access_provider = ldap above, set the filter here to allow access
# EXAMPLE: Allow users in server1 allow group
# ldap_access_filter = memberof=cn=server1 allow,ou=server access,o=empowerid
# Only allow Linus Torvalds or Stallman access to this server
# ldap_access_filter = (|(uid=ltorvalds)(uid=rms))
setenforce 0
sudo service sssd start
sudo systemctl start sssd