Integration with SSSD
First, a tip: make sure that nscd
is not installed or you will be pulling your hair for quite a while.
This approach works better if you are forwarding to an AD server, FreeIpa, or other domain-based auth environments.
Create /etc/sssd/conf.d/auth-something.conf
. Note that group enforcement takes place in this same file:
[sssd]config_file_version = 2services = nss, pam, sshdomains = MYDOMAIN [nss] [pam] [domain/MYDOMAIN]#cache_credentials = Trueenumerate = Falseid_provider = ldapauth_provider = ldapaccess_provider = ldapldap_uri = {auth_uri}ldap_search_base = dc=glauth,dc=comldap_default_bind_dn = cn=serviceuser,ou=service,dc=glauth,dc=comldap_default_authtok_type = passwordldap_default_authtok = {your root user password}ldap_use_tokengroups = Falseldap_tls_cacert = /etc/ssl/certs/auth-yourcert.crtsudo_provider = noneldap_group_member = memberldap_schema = rfc2307bisldap_access_order = filterldap_access_filter = (memberOf=ou=service,dc=glauth,dc=com)
In /etc/ldap/ldap.conf
, remove this line:
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
and replace it with:
TLS_CACERT /etc/ssl/certs/auth-yourcert.crt
Same as above, create a home directory on demand. In /etc/pam.d/common-session
:
session. required. pam_mkhomedir.so umask=0077
Do not forget to install, start and enable the sssd
service. Done.