Where do I specify the Bind DN and password for sss+ldap?

Question

I'm trying sssd for LDAP authentication, and while it can show user IDs with the id command, getent group and getent passwd do not show LDAP names, and while I can chown files to ldap users, they ls -lah as nobody.

A bit of digging and I found a hint: that this problem may occur when binding LDAP anonymously.

But when I setup sss, there was no option to supply a bind DN or password. I was also unable to locate the correct directive in the manual.

Where do I specify the Bind DN and password for sss+ldap? Does it go in /etc/sssd/sssd.conf? Or another file?

Answer 1

You have to create a [domain] section in /etc/sssd/sssd.conf.

You could trawl through

man sssd-ldap

But it's quite a behemoth! This should get you stared. Not all directives here will be needed, depending on your environment.

[domain/default]
ldap_tls_reqcert = never
auth_provider = ldap
ldap_id_use_start_tls = False
chpass_provider = ldap
krb5_realm = EXAMPLE.COM
cache_credentials = True
debug_timestamps = True
ldap_default_authtok_type = password
ldap_search_base = dc=domain,dc=com,dc=br
debug_level = 3
id_provider = ldap
ldap_default_bind_dn = cn=Manager,dc=domain,dc=com,dc=br
min_id = 100
ldap_uri = ldap://<FQDN of LDAP Server>/
krb5_server = kerberos.example.com
ldap_default_authtok = xxxxxxxxxx
ldap_tls_cacertdir = /etc/openldap/cacerts

Answer 2

You can configure SSSD using following command:

authconfig --enablesssd \
--enablesssdauth \
--enablelocauthorize \
--enableldap \
--enableldapauth \
--ldapserver=ldap://ipaserver.example.com:389 \
--disableldaptls \
--ldapbasedn=dc=example,dc=com \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--update

Replace name of ldapserver with you ldap server name and basedn with your base dn name.

After this in /etc/sssd/sssd.conf file

Specify ldap_default_bind_dn and ldap_default_authtok as default bind dn and password respectively, this depends upon your ldap setup.