Ben's notes

This works for Centos 6 and 7!

• Install the requisite packages:

  # yum install sssd openldap-clients

• Export the CA certificate, on provider or CA server:

  # certutil -L -d /etc/openldap/certs -n "LDAP-CA" -a > /tmp/ca.crt

• Download the CA root certificate (ca.crt):

  # scp ldap.master.server:/tmp/ca.crt /etc/openldap/cacerts/

• Rehash the certificate directory:

  # cacertdir_rehash /etc/openldap/cacerts/

• Configure authentication:

  # authconfig \
  --disablesmartcard \
  --disablefingerprint \
  --enablesssd \
  --enablesssdauth \
  --enablelocauthorize \
  --disablemd5 \
  --passalgo=sha512 \
  --enablepamaccess \
  --enableldap \
  --enableldapauth \
  --disableldaptls \
  --ldapserver=ldaps://ldap.yourdomain.tld:636 \
  --ldapbasedn=dc=domain,dc=tld \
  --enablemkhomedir \
  --disablecachecreds \
  --disablekrb5 \
  --disablekrb5kdcdns \
  --disablekrb5realmdns \
  --krb5kdc=" #" \
  --updateall

• If you have disabled anonymous bind, you'll need to configure a bind user. Edit /etc/sssd/sssd.conf:

  # vim /etc/sssd/sssd.conf
  
  [domain/<domain name like 'default' or 'LDAP']
  ...
  ldap_default_bind_dn = cn=...,ou=...
  ldap_default_authtok_type = password # obfuscated_password: obfuscating the password provides no real security benefit
  ldap_default_authtok = <your bind dn password>
  ...

• Configure the PAM access module.

• Disable root access.
• Configure AllowGroups.

• Restart sssd, log in and test the connection.

  # systemctl enable sssd
  # systemctl start sssd
   Check if symlink has been created in: /etc/openldap/cacerts
  
  
  # ldapwhoami -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W
  
  # ldapsearch -H ldaps://<FQDN> -x -D "cn=Manager,dc=<domain>,dc=<tld>" -W
  
    
  # getent -s sss passwd <username>
  # getent -s sss group <groupname>
  # id -a <username>

• You can clear the cache (except sudo rules) with:

  sss_cache -E

• If that didn't work, delete the contents of directory /var/lib/sss/db and restart sssd.